Windows Analysis Report
WinSitu-5.7.8.0.msi

Overview

General Information

Sample name: WinSitu-5.7.8.0.msi
Analysis ID: 1545012
MD5: 7bbc1c706fa3dc23782db860555f1cda
SHA1: a7597fb7d007a4b82d8626c25bcbed2b5d28d1ed
SHA256: 7c52536c77cc7a3ebea7273084d70305349503e84649682c3ead73317a775ef3
Infos:

Detection

Score: 36
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Infects executable files (exe, dll, sys, html)
Sample is not signed and drops a device driver
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Msiexec Execute Arbitrary DLL
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)

Classification

Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\Software License.rtf Jump to behavior
Source: Binary string: d:\difx\source\base\pnp\dfx\dpinst\obj\amd64\DpInst.pdb source: DPInstx64.exe.1.dr
Source: Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdb source: ftcserco.dll0.1.dr
Source: Binary string: C:\legacysoftware\WinSitu Desktop\Code\Release\ParseVuSituDataFileDll.pdb** source: ParseVuSituDataFileDll.dll.1.dr
Source: Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_x86\i386\ftcserco.pdb source: ftcserco.dll.1.dr
Source: Binary string: c:\Development\CDM\d2xxdll\Release\FTD2XX.pdb source: ftd2xx.dll.1.dr
Source: Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdbH source: ftcserco.dll0.1.dr
Source: Binary string: C:\legacysoftware\WinSitu Desktop\Code\Release\ParseVuSituDataFileDll.pdb source: ParseVuSituDataFileDll.dll.1.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\mfc140u.i386.pdb source: mfc140u.dll.1.dr
Source: Binary string: c:\Users\waynekp\Documents\Visual Studio 2005\Projects\USBInst\code\Release\USBInst.pdb source: USBInst.exe, 00000007.00000000.2532713732.0000000000434000.00000002.00000001.01000000.00000004.sdmp, USBInst.exe, 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: d:\difx\source\base\pnp\dfx\dpinst\obj\amd64\DpInst.pdb8 source: DPInstx64.exe.1.dr

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\System32\msiexec.exe System file written: C:\Windows\SysWOW64\mfcm140u.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe System file written: C:\Windows\SysWOW64\mfc140.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe System file written: C:\Windows\SysWOW64\mfc140u.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe System file written: C:\Windows\SysWOW64\mfcm140.dll Jump to behavior
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0040F0B4 __EH_prolog3,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 7_2_0040F0B4
Source: ParseVuSituDataFileDll.dll.1.dr String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: MSIB1C3.tmp.1.dr String found in binary or memory: http://www.in-situ.com/Support
Potential key logger detected (key state polling based)
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_00408B41 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW, 7_2_00408B41
Creates driver files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftdibus.sys Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6bacb2.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{77911F23-6E44-405E-BC55-34D549DB64B2} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB1C3.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc140.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc140u.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfcm140.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfcm140u.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_853F67D554F05449430E7E.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_288987BFEB08B712E2C981.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_A89184D00202F7F1765B04.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_9512E0AD78DB887D16D994.exe Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0040A308 7_2_0040A308
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0042F020 7_2_0042F020
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0041E1C9 7_2_0041E1C9
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_004201F0 7_2_004201F0
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0042E41E 7_2_0042E41E
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_004274A9 7_2_004274A9
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0041E59D 7_2_0041E59D
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_00424719 7_2_00424719
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_004307EA 7_2_004307EA
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0042E960 7_2_0042E960
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0041E9A9 7_2_0041E9A9
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0041DCF6 7_2_0041DCF6
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0041EDC9 7_2_0041EDC9
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0042DEDC 7_2_0042DEDC
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: String function: 0040BF96 appears 31 times
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: String function: 0041F7C1 appears 137 times
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: String function: 0042018C appears 50 times
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: String function: 0041F7F4 appears 39 times
PE file contains executable resources (Code or Archives)
Source: USBInst.exe.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: classification engine Classification label: sus36.spre.winMSI@6/112@0/0
Source: LogoVerificationReport.pdf.1.dr Initial sample: http://winqual.microsoft.com
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_00405F11 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3_catch,FindResourceW,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, 7_2_00405F11
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\Documents\WinSitu Data Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DFE080A742D8EFE46F.TMP Jump to behavior
Source: Yara match File source: C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx, type: DROPPED
Source: C:\Windows\System32\msiexec.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Key opened: HKEY_USERSS-1-5-18\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\WinSitu-5.7.8.0.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe "C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe "C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iopc2.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Section loaded: textshaping.dll Jump to behavior
Source: Win-Situ 5.lnk.1.dr LNK file: ..\..\..\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_A89184D00202F7F1765B04.exe
Source: Win-Situ 5.lnk0.1.dr LNK file: ..\..\..\..\..\..\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_9512E0AD78DB887D16D994.exe
Source: Win-Situ 5 Release Notes.lnk.1.dr LNK file: ..\..\..\..\..\..\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_288987BFEB08B712E2C981.exe
Source: C:\Windows\System32\msiexec.exe Automated click: Next >
Source: C:\Windows\System32\msiexec.exe Automated click: I Agree
Source: C:\Windows\System32\msiexec.exe Automated click: Next >
Source: C:\Windows\System32\msiexec.exe Automated click: Next >
Source: C:\Windows\System32\msiexec.exe Automated click: Next >
Source: Window Recorder Window detected: More than 3 window changes detected
Source: WinSitu-5.7.8.0.msi Static file information: File size 36761088 > 1048576
Source: Binary string: d:\difx\source\base\pnp\dfx\dpinst\obj\amd64\DpInst.pdb source: DPInstx64.exe.1.dr
Source: Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdb source: ftcserco.dll0.1.dr
Source: Binary string: C:\legacysoftware\WinSitu Desktop\Code\Release\ParseVuSituDataFileDll.pdb** source: ParseVuSituDataFileDll.dll.1.dr
Source: Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_x86\i386\ftcserco.pdb source: ftcserco.dll.1.dr
Source: Binary string: c:\Development\CDM\d2xxdll\Release\FTD2XX.pdb source: ftd2xx.dll.1.dr
Source: Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdbH source: ftcserco.dll0.1.dr
Source: Binary string: C:\legacysoftware\WinSitu Desktop\Code\Release\ParseVuSituDataFileDll.pdb source: ParseVuSituDataFileDll.dll.1.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\mfc140u.i386.pdb source: mfc140u.dll.1.dr
Source: Binary string: c:\Users\waynekp\Documents\Visual Studio 2005\Projects\USBInst\code\Release\USBInst.pdb source: USBInst.exe, 00000007.00000000.2532713732.0000000000434000.00000002.00000001.01000000.00000004.sdmp, USBInst.exe, 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: d:\difx\source\base\pnp\dfx\dpinst\obj\amd64\DpInst.pdb8 source: DPInstx64.exe.1.dr
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_00429D42 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson, 7_2_00429D42
PE file contains sections with non-standard names
Source: mfc140.dll.1.dr Static PE information: section name: .didat
Source: mfc140u.dll.1.dr Static PE information: section name: .didat
Source: DPInstx86.exe.1.dr Static PE information: section name: Shared
Source: DPInstx64.exe.1.dr Static PE information: section name: Shared
Source: ftser2k.sys.1.dr Static PE information: section name: PAGESRP0
Source: ftser2k.sys.1.dr Static PE information: section name: PAGESER
Source: vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536.1.dr Static PE information: section name: _RDATA
Source: msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536.1.dr Static PE information: section name: .didat
Source: vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536.1.dr Static PE information: section name: minATL
Source: ftser2k.sys0.1.dr Static PE information: section name: PAGESRP0
Source: ftser2k.sys0.1.dr Static PE information: section name: PAGESER
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_004201D1 push ecx; ret 7_2_004201E4
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0041F899 push ecx; ret 7_2_0041F8AC

Persistence and Installation Behavior
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\System32\msiexec.exe System file written: C:\Windows\SysWOW64\mfcm140u.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe System file written: C:\Windows\SysWOW64\mfc140.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe System file written: C:\Windows\SysWOW64\mfc140u.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe System file written: C:\Windows\SysWOW64\mfcm140.dll Jump to behavior
Sample is not signed and drops a device driver
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftdibus.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftser2k.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftser2k.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftdibus.sys Jump to behavior
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftlang.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftcserco.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\ftd2xx.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\ParseVuSituDataFileDll.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftser2k.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfcm140u.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\InSitu\PostLevelCorrection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx86.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: 6bacb7.rbf (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftser2k.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc140u.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftbusui.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: 6bacb4.rbf (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftserui2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\WinSitu.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftbusui.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftserui2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: 6bacb5.rbf (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftlang.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftdibus.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftd2xx64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftcserco.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftdibus.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\InSitu\LowFlow.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfcm140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftd2xx.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInst.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: 6bacb6.rbf (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfcm140u.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc140u.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfcm140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\InSitu\WinSitu\Software License.rtf Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\In-Situ Inc Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\In-Situ Inc\Win-Situ 5 Release Notes.lnk Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\In-Situ Inc\Win-Situ 5.lnk Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_00401380 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 7_2_00401380
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_00406358 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect, 7_2_00406358
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftlang.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftcserco.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\ftd2xx.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\ParseVuSituDataFileDll.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftser2k.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140u.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\InSitu\PostLevelCorrection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx86.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: 6bacb7.rbf (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftser2k.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140u.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftbusui.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: 6bacb4.rbf (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftserui2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\WinSitu.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftbusui.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftserui2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: 6bacb5.rbf (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftlang.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftdibus.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftd2xx64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftcserco.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftdibus.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\InSitu\LowFlow.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftd2xx.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInst.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: 6bacb6.rbf (copy) Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe API coverage: 6.7 %
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0040F0B4 __EH_prolog3,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 7_2_0040F0B4
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0042166F VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 7_2_0042166F
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0041D7E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0041D7E4
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_00429D42 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson, 7_2_00429D42
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0041D5FB GetStartupInfoW,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,___crtGetCommandLineW,___crtGetEnvironmentStringsW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,__wwincmdln, 7_2_0041D5FB
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0042838B _raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0042838B
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0041D7E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0041D7E4
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_00421869 SetUnhandledExceptionFilter, 7_2_00421869
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_00423BAF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00423BAF
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe "C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_0042AE9C cpuid 7_2_0042AE9C
Contains functionality to query locales information (e.g. system language)
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: _wcscpy_s,__snprintf_s,GetLocaleInfoW,PathFindFileNameW,GetModuleHandleW,GetProcAddress,LoadLibraryExW, 7_2_00402FD2
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 7_2_0043157C
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: GetLocaleInfoA, 7_2_0042CEFB
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_004229D2 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 7_2_004229D2
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_004294E3 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 7_2_004294E3
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe Code function: 7_2_00403264 __EH_prolog3,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,GetModuleFileNameW,GetVersion,RegOpenKeyExW,RegQueryValueExW,_sscanf,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,RegCloseKey,GetModuleHandleW,EnumResourceLanguagesW,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale, 7_2_00403264
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1545012 Sample: WinSitu-5.7.8.0.msi Startdate: 30/10/2024 Architecture: WINDOWS Score: 36 5 msiexec.exe 300 137 2->5         started        9 msiexec.exe 9 2->9         started        file3 15 C:\Windows\SysWOW64\mfcm140u.dll, PE32 5->15 dropped 17 C:\Windows\SysWOW64\mfcm140.dll, PE32 5->17 dropped 19 C:\Windows\SysWOW64\mfc140.dll, PE32 5->19 dropped 21 33 other files (none is malicious) 5->21 dropped 23 Sample is not signed and drops a device driver 5->23 25 Infects executable files (exe, dll, sys, html) 5->25 11 msiexec.exe 424 5->11         started        13 USBInst.exe 5->13         started        signatures4 process5
No contacted IP infos