Windows Analysis Report
AccessDatabaseuser.exe

Overview

General Information

Sample name: AccessDatabaseuser.exe
Analysis ID: 1591991
MD5: 46b666e01d7ea03bc65ec5e1249f7d4b
SHA1: 0aa027c5d00ca67dd85eafeeb7ab245226331823
SHA256: 86fecfce83469b3f40ee93e0b54f433209c2bf5626d7f475761024e3f2d4a324
Infos:

Detection

Score: 0
Range: 0 - 100
Whitelisted: true
Confidence: 100%

Compliance

Score: 48
Range: 0 - 100

Signatures

Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Compliance
barindex
Uses 32bit PE files
Source: AccessDatabaseuser.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: AccessDatabaseuser.exe Static PE information: certificate valid
Source: C:\Windows\System32\msiexec.exe File opened: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dll Jump to behavior
Source: AccessDatabaseuser.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: o\x86\ship\0\mso.dll\scpobfu\mso.pdb source: MSO.DLL.2.dr
Source: Binary string: t:\ace\x86\ship\0\aceodbc.pdb6\ship\0\aceodbc.dll\bbtopt\aceodbcO.pdb source: ACEODBC.DLL.2.dr
Source: Binary string: hip\0\opatchinst.exe\bbtopt\opatchinstO.pdb source: AccessDatabaseuser.exe
Source: Binary string: t:\ses\x86\ship\0\opatchinst.pdb source: AccessDatabaseuser.exe
Source: Binary string: t:\mso\x86\ship\0\mso.pdb source: MSO.DLL.2.dr
Source: Binary string: t:\ace\x86\ship\0\aceodbc.pdb source: ACEODBC.DLL.2.dr
Source: Binary string: t:\ace\x86\ship\0\aceoledb.pdb source: ACEOLEDB.DLL.2.dr
Source: Binary string: t:\mso\x86\ship\0\mso.pdbo\x86\ship\0\mso.dll\scpobfu\mso.pdb)Z source: MSO.DLL.2.dr
Source: Binary string: t:\ses\x86\ship\0\opatchinst.pdbhip\0\opatchinst.exe\bbtopt\opatchinstO.pdb source: AccessDatabaseuser.exe
Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\ocfxca.PDBzy source: MSI127D.tmp.0.dr
Source: Binary string: \ship\0\aceoledb.dll\bbtopt\aceoledbO.pdb source: ACEOLEDB.DLL.2.dr
Source: Binary string: t:\ace\x86\ship\0\aceoledb.pdb\ship\0\aceoledb.dll\bbtopt\aceoledbO.pdb source: ACEOLEDB.DLL.2.dr
Source: Binary string: 6\ship\0\aceodbc.dll\bbtopt\aceodbcO.pdb source: ACEODBC.DLL.2.dr
Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\mainca.PDB source: MSI547B.tmp.2.dr
Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\ocfxca.PDB source: MSI127D.tmp.0.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.6:57101 -> 1.1.1.1:53
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: MSO.DLL.2.dr String found in binary or memory: http://beta.blogger.com/feeds/default/blogsatom:link
Source: MSO.DLL.2.dr String found in binary or memory: http://nonexistant/proppanel.xsn
Source: AccessDatabaseuser.exe, 00000000.00000002.2507836334.00000000079F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://office.microsof
Source: MSO.DLL.2.dr String found in binary or memory: http://officelive.com/
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/chart3http://purl.oclc.org/ooxml/officeDocument/customXml
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram1http://purl.oclc.org/ooxml/drawingml/lockedCanvas.http:
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/picture.http://purl.oclc.org/ooxml/presentationml/main:http://p
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/bibliography1http://purl.oclc.org/ooxml/drawingml/chartDra
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/customPropertiesVj
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/docPropsVTypes
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/extendedProperties
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/attachedTemplate
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/audiovideo?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/calcChainchartsheets/
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/chartchart
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/chartsheet
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/commentAuthors
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/comments
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/controlembeddings/package?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/customProperties
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/customProperty
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/customXml/drs/
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/customXmlProps
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/diagramColors
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/diagramLayoutquickStyleHeader?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/diagramQuickStylecolorsHeader?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/endnotes
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/externalLink
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/externalLinkPath
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/font
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/fontTablefooter?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/footer
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/footnotesglossary/
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/frameafChunk?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/glossaryDocument
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/handoutMasterslideMasters/
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/header
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/htmlPubSaveAs
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/hyperlink
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/imagemedia?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/mailMergeHeaderSource
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/mailMergeRecipientData
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/notesSlide
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/numberingsettings
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/officeDocument
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/oleObjectuserXmlData?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/pivotCacheDefinition
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/pivotCacheRecords
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/pivotTable
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/presPropsslides/slide?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/queryTable
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/settings
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/sharedStringstables/table?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/sheetMetadatapivotCache/pivotCacheDefinition
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/slideUpdateUrl
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/slideslideUpdateInfo/
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/styles
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/tableSingleCells
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/tabletableSingleCells?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/tags
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/themeOverridetheme?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/themethemeThumbnail
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/transformthemeManager
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/usernamesvolatileDependencies
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/videohdphoto?
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/viewPropstags/
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/volatileDependencies
Source: MSO.DLL.2.dr String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/worksheetxmlMaps
Source: MSO.DLL.2.dr String found in binary or memory: http://schemas.google.com/g/2005#post
Source: MSO.DLL.2.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: MSO.DLL.2.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MSO.DLL.2.dr String found in binary or memory: http://uri.etsi.org/01903#SignedProperties
Source: MSO.DLL.2.dr String found in binary or memory: http://uri.etsi.org/01903/v1.3.2#
Source: MSO.DLL.2.dr String found in binary or memory: http://www.blogger.com/feeds/default/blogs
Source: MSO.DLL.2.dr String found in binary or memory: http://www.passport.com/NameSpace.xsd
Source: MSO.DLL.2.dr String found in binary or memory: http://www.typepad.com/t/api
Source: MSO.DLL.2.dr String found in binary or memory: http://xml.org/sax/features/external-parameter-entitieshttp://xml.org/sax/features/external-general-
Source: MSO.DLL.2.dr String found in binary or memory: http://xml.org/sax/features/lexical-handler/parameter-entities
Source: MSO.DLL.2.dr String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: MSO.DLL.2.dr String found in binary or memory: http://xml.org/sax/features/namespaces
Source: MSO.DLL.2.dr String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: MSO.DLL.2.dr String found in binary or memory: http://xml.org/sax/properties/lexical-handlero12:itemID
Source: MSO.DLL.2.dr String found in binary or memory: https://docs.live.net/SkyDocsService.svcU
Source: MSO.DLL.2.dr String found in binary or memory: https://office.bcentral.com/eServices/index?DPC=%ProductCode%&DCC=%AppComponentCode%&AppName=%Applic
Source: MSO.DLL.2.dr String found in binary or memory: https://office.bcentral.com/eServices/service?Command=WebPost&DPC=%ProductCode%&DCC=%AppComponentCod
Source: MSO.DLL.2.dr String found in binary or memory: https://www.google.com/accounts/ClientLogin
Yara detected Keylogger Generic
Source: Yara match File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL, type: DROPPED
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\594d15.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI51B9.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{90140000-00D1-0409-0000-0000000FF1CE} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI541B.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI542C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI547B.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI5612.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\GACLock.dat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\tmp\T50LY6O0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\GACLock.dat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\tmp\9Y4YXQIY Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\tmp\9Y4YXQIY\NGBHLPX0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131238.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131238.0\9.0.30729.4148.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.manifest Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcm90.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcp90.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131238.0\9.0.30729.4148.policy Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI6F58.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\594d17.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\594d17.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\GACLock.dat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\GACLock.dat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\pubpol181.dat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\GACLock.dat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\pubpol182.dat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\GACLock.dat Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI51B9.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D39CFE2 0_2_2D39CFE2
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D39BE63 0_2_2D39BE63
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D39E160 0_2_2D39E160
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D3939EF 0_2_2D3939EF
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D39C8EB 0_2_2D39C8EB
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D39C3A7 0_2_2D39C3A7
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: String function: 2D385E3A appears 92 times
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: String function: 2D38F7B1 appears 64 times
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: String function: 2D392906 appears 35 times
PE file contains executable resources (Code or Archives)
Source: MSOINTL.DLL.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MSOINTL.DLL.2.dr Static PE information: Resource name: None type: basic-16 executable not stripped
Source: MSOINTL.DLL.2.dr Static PE information: Resource name: None type: DitPack archive data
Source: MSOINTL.DLL.2.dr Static PE information: Resource name: None type: iAPX 286 executable large model (COFF) not stripped
Source: MSOINTL.DLL.2.dr Static PE information: Resource name: None type: unknown readable demand paged pure executable
Source: MSOINTL.DLL.2.dr Static PE information: Resource name: None type: ARC archive data, uncompressed
Source: MSOINTL.DLL.2.dr Static PE information: Resource name: None type: DitPack archive data
Source: MSOINTL.DLL.2.dr Static PE information: Resource name: None type: iAPX 286 executable large model (COFF) not stripped
Source: MSOINTL.DLL.2.dr Static PE information: Resource name: None type: 68k Blit mpx/mux executable
Source: MSI547B.tmp.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: ACERECR.DLL.2.dr Static PE information: No import functions for PE file found
Source: STSLISTI.DLL.2.dr Static PE information: No import functions for PE file found
Source: MSOINTL.DLL.2.dr Static PE information: No import functions for PE file found
Source: MSOINTL.REST.IDX_DLL.2.dr Static PE information: No import functions for PE file found
Source: MSOINTL.DLL.IDX_DLL.2.dr Static PE information: No import functions for PE file found
Source: OFFICE.ODF.2.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: AccessDatabaseuser.exe, 00000000.00000002.2508490056.000000002D3AD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs AccessDatabaseuser.exe
Source: AccessDatabaseuser.exe Binary or memory string: OriginalFilename vs AccessDatabaseuser.exe
Uses 32bit PE files
Source: AccessDatabaseuser.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: STSLISTI.DLL.2.dr Static PE information: Section .rsrc
Source: classification engine Classification label: clean6.winEXE@8/72@0/0
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D387E35 GetDiskFreeSpaceExA, 0_2_2D387E35
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D373001 CLSIDFromProgID,CoCreateInstance, 0_2_2D373001
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D37EC30 FindResourceA,GetLastError,__CxxThrowException@8,LoadResource,LockResource,SysAllocString, 0_2_2D37EC30
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File created: C:\Program Files (x86)\MSECache\AceRedist Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File created: C:\Users\user\AppData\Local\Temp\Microsoft Access Database user 2010 (0).log Jump to behavior
Source: AccessDatabaseuser.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File read: C:\Users\user\Desktop\AccessDatabaseuser.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\AccessDatabaseuser.exe "C:\Users\user\Desktop\AccessDatabaseuser.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6DCFC73376ADDBA52990B232DF33C952 C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E0883EF17785BDC605A083E905F940CD
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0E0FCCBD52B915BB5099AA028D1FC6F E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6DCFC73376ADDBA52990B232DF33C952 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E0883EF17785BDC605A083E905F940CD Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0E0FCCBD52B915BB5099AA028D1FC6F E Global\MSI0000 Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Automated click: Next >
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Automated click: I accept the terms in the License Agreement
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Automated click: Next >
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Automated click: Install
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Automated click: OK
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: AccessDatabaseuser.exe Static PE information: certificate valid
Source: initial sample Static PE information: Valid certificate with Microsoft Issuer
Source: AccessDatabaseuser.exe Static file information: File size 26557232 > 1048576
Source: C:\Windows\System32\msiexec.exe File opened: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dll Jump to behavior
Source: AccessDatabaseuser.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AccessDatabaseuser.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AccessDatabaseuser.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AccessDatabaseuser.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AccessDatabaseuser.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AccessDatabaseuser.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: AccessDatabaseuser.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: AccessDatabaseuser.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: o\x86\ship\0\mso.dll\scpobfu\mso.pdb source: MSO.DLL.2.dr
Source: Binary string: t:\ace\x86\ship\0\aceodbc.pdb6\ship\0\aceodbc.dll\bbtopt\aceodbcO.pdb source: ACEODBC.DLL.2.dr
Source: Binary string: hip\0\opatchinst.exe\bbtopt\opatchinstO.pdb source: AccessDatabaseuser.exe
Source: Binary string: t:\ses\x86\ship\0\opatchinst.pdb source: AccessDatabaseuser.exe
Source: Binary string: t:\mso\x86\ship\0\mso.pdb source: MSO.DLL.2.dr
Source: Binary string: t:\ace\x86\ship\0\aceodbc.pdb source: ACEODBC.DLL.2.dr
Source: Binary string: t:\ace\x86\ship\0\aceoledb.pdb source: ACEOLEDB.DLL.2.dr
Source: Binary string: t:\mso\x86\ship\0\mso.pdbo\x86\ship\0\mso.dll\scpobfu\mso.pdb)Z source: MSO.DLL.2.dr
Source: Binary string: t:\ses\x86\ship\0\opatchinst.pdbhip\0\opatchinst.exe\bbtopt\opatchinstO.pdb source: AccessDatabaseuser.exe
Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\ocfxca.PDBzy source: MSI127D.tmp.0.dr
Source: Binary string: \ship\0\aceoledb.dll\bbtopt\aceoledbO.pdb source: ACEOLEDB.DLL.2.dr
Source: Binary string: t:\ace\x86\ship\0\aceoledb.pdb\ship\0\aceoledb.dll\bbtopt\aceoledbO.pdb source: ACEOLEDB.DLL.2.dr
Source: Binary string: 6\ship\0\aceodbc.dll\bbtopt\aceodbcO.pdb source: ACEODBC.DLL.2.dr
Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\mainca.PDB source: MSI547B.tmp.2.dr
Source: Binary string: D:\office\Target\msishared\x86\ship\0\CustomActions\ocfxca.PDB source: MSI127D.tmp.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D38784B LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_2D38784B
PE file contains sections with non-standard names
Source: STSLIST.DLL.2.dr Static PE information: section name: .rtext
Source: ACEES.DLL.2.dr Static PE information: section name: .rtext
Source: ACEEXCH.DLL.2.dr Static PE information: section name: CURSORS
Source: ACEEXCH.DLL.2.dr Static PE information: section name: BASE
Source: EXPSRV.DLL.2.dr Static PE information: section name: user
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D39294B push ecx; ret 0_2_2D39295E
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D38F889 push ecx; ret 0_2_2D38F89C
Source: msvcr90.dll.2.dr Static PE information: section name: .text entropy: 6.922045894978299
Drops PE files
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File created: C:\Users\user\AppData\Local\Temp\MSI127D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODEXL.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEREP.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI51B9.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Microsoft Office\Office14\STSLIST.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_XPS.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODBC.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACERCLR.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWSS.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEXBE.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACERECR.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\Source user\OSE.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEOLEDB.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcp90.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\VBAJET32.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEDAO.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI542C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEODBCI.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI6F58.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_PDF.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI5612.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCH.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEINTL.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcm90.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCL.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSORES.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACETXT.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.REST.IDX_DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWDAT.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEWSTR.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI547B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEERR.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODDBS.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACER3X.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEES.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL.IDX_DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODTXT.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXPSRV.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI6F58.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI5612.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI51B9.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcm90.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI547B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcp90.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI542C.tmp Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D388222 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_2D388222
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI127D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODEXL.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEREP.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI51B9.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office14\STSLIST.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_XPS.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODBC.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACERCLR.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWSS.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEXBE.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACERECR.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\Source user\OSE.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEOLEDB.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcp90.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\VBAJET32.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEDAO.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI542C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEODBCI.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI6F58.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXP_PDF.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI5612.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCH.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcr90.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEINTL.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20250115102131222.0\msvcm90.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEEXCL.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSORES.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACETXT.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.REST.IDX_DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\ACEWSTR.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEWDAT.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI547B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEERR.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODDBS.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACER3X.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEES.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\ACEODTXT.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033\MSOINTL.DLL.IDX_DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\EXPSRV.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: MSO.DLL.2.dr Binary or memory string: Whgfse
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D38F7A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_2D38F7A3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D38784B LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_2D38784B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D38EBE3 GetProcessHeap,HeapFree, 0_2_2D38EBE3
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D38F7A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_2D38F7A3
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D3970F3 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_2D3970F3
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D38F26F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_2D38F26F
Source: MSO.DLL.2.dr Binary or memory string: Shell_TrayWnd
Source: AccessDatabaseuser.exe, 00000000.00000002.2506753423.00000000035D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: RemoveProgManItems
Source: AccessDatabaseuser.exe, 00000000.00000002.2506753423.00000000035D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CreateProgManItems
Source: AccessDatabaseuser.exe, 00000000.00000003.2151144618.0000000001178000.00000004.00000020.00020000.00000000.sdmp, AccessDatabaseuser.exe, 00000000.00000003.2151282677.0000000001189000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Removing Program Manager items
Source: AccessDatabaseuser.exe, 00000000.00000002.2506753423.00000000035D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Removing Program Manager items|
Source: AccessDatabaseuser.exe, 00000000.00000003.2151144618.0000000001178000.00000004.00000020.00020000.00000000.sdmp, AccessDatabaseuser.exe, 00000000.00000003.2151282677.0000000001189000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Creating Program Manager itemsde
Source: AccessDatabaseuser.exe, 00000000.00000002.2506753423.00000000035D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Creating Program Manager itemsI
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: GetLocaleInfoA, 0_2_2D39DD43
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\Windows\assembly\tmp\T50LY6O0\Microsoft.Office.interop.access.dao.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\Windows\assembly\tmp\9Y4YXQIY\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D39295F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_2D39295F
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Code function: 0_2_2D382FF7 _memset,GetVersionExA,GetVersionExA,GetVersionExA,GetLastError,__CxxThrowException@8,GetSystemDefaultLangID,GetUserDefaultLangID,GetModuleFileNameW, 0_2_2D382FF7
Source: C:\Users\user\Desktop\AccessDatabaseuser.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1591991 Sample: AccessDatabaseuser.exe Startdate: 15/01/2025 Architecture: WINDOWS Score: 0 5 msiexec.exe 505 93 2->5         started        8 AccessDatabaseuser.exe 14 2->8         started        file3 16 Microsoft.Office.interop.access.dao.dll, PE32 5->16 dropped 18 Policy.12.0.Micros...erop.Access.Dao.dll, PE32 5->18 dropped 20 C:\Windows\WinSxS\InstallTemp\...\msvcr90.dll, PE32 5->20 dropped 24 42 other files (none is malicious) 5->24 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        14 msiexec.exe 5->14         started        22 C:\Users\user\AppData\Local\...\MSI127D.tmp, PE32 8->22 dropped process4
No contacted IP infos