Malware analysis ecsinstallnewplayer.msi Malicious activity

Add for printing

File name:	ecsinstallnewplayer.msi
Full analysis:	https://app.any.run/tasks/2c81ba8b-2d16-4a78-b188-ae29413e8454
Verdict:	Malicious activity
Analysis date:	July 09, 2019, 12:06:08
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Code page: 1252, Last Printed: Wed Aug 27 21:05:16 2014, Title: Marlin ECS, Subject: Marlin ECS, Author: The Marlin Company, Comments: Marlin ECS, Template: Intel;1033, Last Saved By: prajagopalan, Revision Number: {AC11ED4A-4E79-4D7D-B013-43E00D69DA1E}, Last Saved Time/Date: Wed Aug 27 21:06:17 2014, Number of Pages: 200, Number of Words: 2, Security: 1
MD5:	68E8AFE1FB6FA8C5E8794F8A2BF35D42
SHA1:	3E4258E9B876A0F4031F089C7726891BA4DD655A
SHA256:	E4AFE24302B07EF5771C7A4A90D71A254FE9FE5423506A8C4691D299F252DA70
SSDEEP:	196608:Au6wIxGFfInpnkhxjT5aXN4QS/gT1DY6egzcXqVQnLu7:swYGFfbzT504h/oFY/yVQnLu7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - ppview97.exe (PID: 3176)
  - WD97VW32.EXE (PID: 3824)
- Application was dropped or rewritten from another process
  - ppview97.exe (PID: 3176)
  - acmsetup.EXE (PID: 1356)
  - WD97VW32.EXE (PID: 3824)
  - acmsetup.EXE (PID: 2628)
  - InstallECSSoftwareAutoUpdater.exe (PID: 2120)
  - ecssoftwareautoupdater.exe (PID: 968)
- Loads dropped or rewritten executable
  - acmsetup.EXE (PID: 1356)
  - InstallECSSoftwareAutoUpdater.exe (PID: 2120)
  - ecssoftwareautoupdater.exe (PID: 968)
- Writes to a start menu file
  - ecssoftwareautoupdater.exe (PID: 968)
SUSPICIOUS
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 916)
  - ppview97.exe (PID: 3176)
  - ntvdm.exe (PID: 2992)
  - acmsetup.EXE (PID: 1356)
  - WD97VW32.EXE (PID: 3824)
  - InstallECSSoftwareAutoUpdater.exe (PID: 2120)
  - ntvdm.exe (PID: 3212)
- Executed via COM
  - DrvInst.exe (PID: 2900)
- Creates files in the Windows directory
  - msiexec.exe (PID: 916)
  - acmsetup.EXE (PID: 1356)
- Creates files in the user directory
  - msiexec.exe (PID: 916)
  - ecssoftwareautoupdater.exe (PID: 968)
  - InstallECSSoftwareAutoUpdater.exe (PID: 2120)
- Changes the desktop background image
  - msiexec.exe (PID: 916)
- Executes application which crashes
  - ppview97.exe (PID: 3176)
  - WD97VW32.EXE (PID: 3824)
- Removes files from Windows directory
  - acmsetup.EXE (PID: 1356)
- Creates files in the program directory
  - acmsetup.EXE (PID: 1356)
- Executed as Windows Service
  - vssvc.exe (PID: 2068)
- Modifies the open verb of a shell class
  - acmsetup.EXE (PID: 1356)
- Creates a software uninstall entry
  - acmsetup.EXE (PID: 1356)
- Creates COM task schedule object
  - acmsetup.EXE (PID: 1356)
- Reads Environment values
  - ecssoftwareautoupdater.exe (PID: 968)
INFO
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 2068)
- Loads dropped or rewritten executable
  - msiexec.exe (PID: 916)
  - MsiExec.exe (PID: 936)
- Searches for installed software
  - msiexec.exe (PID: 916)
- Application launched itself
  - msiexec.exe (PID: 916)
- Creates a software uninstall entry
  - msiexec.exe (PID: 916)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (93.3)
.pps/ppt	\|	Microsoft PowerPoint document (5.2)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CreateDate:	1999:06:21 07:00:00
Software:	Windows Installer
CodePage:	Windows Latin 1 (Western European)
LastPrinted:	2014:08:27 20:05:16
Title:	Marlin ECS
Subject:	Marlin ECS
Author:	The Marlin Company
Keywords:	-
Comments:	Marlin ECS
Template:	Intel;1033
LastModifiedBy:	prajagopalan
RevisionNumber:	{AC11ED4A-4E79-4D7D-B013-43E00D69DA1E}
ModifyDate:	2014:08:27 20:06:17
Pages:	200
Words:	2
Security:	Password protected

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

916

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

936

C:\Windows\system32\MsiExec.exe -Embedding 9D38DB2017B568E5ADCF0EF8AD92B863 M Global\MSI0000

C:\Windows\system32\MsiExec.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

968

"C:\ECS\ECSSoftwareAutoUpdater\ecssoftwareautoupdater.exe"

C:\ECS\ECSSoftwareAutoUpdater\ecssoftwareautoupdater.exe

InstallECSSoftwareAutoUpdater.exe

User:

SYSTEM

Company:

Microsoft

Integrity Level:

SYSTEM

Description:

ECSSoftwareAutoUpdater

Exit code:

4294967295

Version:

4.0.5393.29965

Modules

Images
c:\ecs\ecssoftwareautoupdater\ecssoftwareautoupdater.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1356

C:\~MSSETUP.T\~msstfqf.t\acmsetup.EXE /T ppview.stf /S C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\IXP000.TMP\

C:\~MSSETUP.T\~msstfqf.t\acmsetup.EXE

ntvdm.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Setup Tool

Exit code:

Version:

3.01

Modules

Images
c:\~mssetup.t\~msstfqf.t\acmsetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1768

"C:\Windows\System32\powercfg.exe" -change -monitor-timeout-ac 0

C:\Windows\System32\powercfg.exe

—

MsiExec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Power Settings Command-Line Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\powercfg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2068

C:\Windows\system32\vssvc.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2120

"C:\Users\admin\AppData\Roaming\Marlin\InstallECSSoftwareAutoUpdater\InstallECSSoftwareAutoUpdater.exe"

C:\Users\admin\AppData\Roaming\Marlin\InstallECSSoftwareAutoUpdater\InstallECSSoftwareAutoUpdater.exe

msiexec.exe

User:

admin

Company:

Microsoft

Integrity Level:

MEDIUM

Description:

InstallECSSoftwareAutoUpdater

Exit code:

Version:

4.0.5345.28841

Modules

Images
c:\users\admin\appdata\roaming\marlin\installecssoftwareautoupdater\installecssoftwareautoupdater.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

2180

C:\Windows\system32\MsiExec.exe -Embedding A403C15F99DC864624FCDD2E178CE1A3 C

C:\Windows\system32\MsiExec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2256

"C:\Windows\System32\powercfg.exe" -h off

C:\Windows\System32\powercfg.exe

—

MsiExec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Power Settings Command-Line Tool

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\powercfg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2628

C:\~MSSETUP.T\~msstfqf.t\acmsetup.EXE /T wviewer.stf /S C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\MSE000\

C:\~MSSETUP.T\~msstfqf.t\acmsetup.EXE

—

ntvdm.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Setup Tool

Exit code:

3221225758

Version:

1.2

Modules

Images
c:\~mssetup.t\~msstfqf.t\acmsetup.exe
c:\systemroot\system32\ntdll.dll

Add for printing

Total events

1 520

Read events

835

Write events

667

Delete events

Modification events


(PID) Process:	(916) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4000000000000000D61285C74E36D50194030000D80D0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(916) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4000000000000000D61285C74E36D50194030000D80D0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(916) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 23
(PID) Process:	(916) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4000000000000000CA22D6C74E36D50194030000D80D0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(916) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 40000000000000002485D8C74E36D50194030000400F0000E803000001000000000000000000000096DA36CACC786D48A5A8E85099917A6F0000000000000000
(PID) Process:	(2068) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 40000000000000008C0EE2C74E36D50114080000180D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2068) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 40000000000000008C0EE2C74E36D50114080000AC070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2068) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 40000000000000008C0EE2C74E36D50114080000F4050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2068) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 40000000000000008C0EE2C74E36D50114080000F80B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2068) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 4000000000000000F497EBC74E36D50114080000AC070000E8030000000000000100000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

175

Unknown types

Dropped files

PID	Process	Filename		Type
3800	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSIE804.tmp		—
		MD5:—	SHA256:—
3800	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSIE8B1.tmp		—
		MD5:—	SHA256:—
916	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
916	msiexec.exe	C:\Windows\Installer\d60fc.msi		—
		MD5:—	SHA256:—
916	msiexec.exe	C:\Windows\Installer\MSI65A1.tmp		—
		MD5:—	SHA256:—
916	msiexec.exe	C:\Users\admin\AppData\Local\Temp\~DF424E654161432EB0.TMP		—
		MD5:—	SHA256:—
2068	vssvc.exe	C:		—
		MD5:—	SHA256:—
916	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{ca36da96-78cc-486d-a5a8-e85099917a6f}_OnDiskSnapshotProp		binary
		MD5:—	SHA256:—
2900	DrvInst.exe	C:\Windows\INF\setupapi.ev3		binary
		MD5:—	SHA256:—
2900	DrvInst.exe	C:\Windows\INF\setupapi.ev1		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2120	InstallECSSoftwareAutoUpdater.exe	POST	200	216.244.103.219:80	http://ecs.themarlincompany.com/webservices/clientsoftware.asmx	US	xml	14.9 Kb	unknown
2120	InstallECSSoftwareAutoUpdater.exe	GET	301	216.244.103.219:80	http://ecs.themarlincompany.com/currentsoftware/ecssoftwareautoupdater.zip	US	html	198 b	unknown
2120	InstallECSSoftwareAutoUpdater.exe	GET	200	93.184.221.240:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	US	compressed	56.2 Kb	whitelisted
2120	InstallECSSoftwareAutoUpdater.exe	GET	200	93.184.221.240:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt	US	der	993 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2120	InstallECSSoftwareAutoUpdater.exe	216.244.103.219:80	ecs.themarlincompany.com	CyrusOne LLC	US	unknown
2120	InstallECSSoftwareAutoUpdater.exe	216.244.103.219:443	ecs.themarlincompany.com	CyrusOne LLC	US	unknown
2120	InstallECSSoftwareAutoUpdater.exe	93.184.221.240:80	www.download.windowsupdate.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted

DNS requests

Domain	IP	Reputation
ecs.themarlincompany.com	216.244.103.219	unknown
www.download.windowsupdate.com	93.184.221.240	whitelisted

Threats

Found threats are available for the paid subscriptions

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

ecsinstallnewplayer.msi

68E8AFE1FB6FA8C5E8794F8A2BF35D42

3E4258E9B876A0F4031F089C7726891BA4DD655A

E4AFE24302B07EF5771C7A4A90D71A254FE9FE5423506A8C4691D299F252DA70

196608:Au6wIxGFfInpnkhxjT5aXN4QS/gT1DY6egzcXqVQnLu7:swYGFfbzT504h/oFY/yVQnLu7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Writes to a start menu file

SUSPICIOUS

Executable content was dropped or overwritten

Executed via COM

Creates files in the Windows directory

Creates files in the user directory

Changes the desktop background image

Executes application which crashes

Removes files from Windows directory

Creates files in the program directory

Executed as Windows Service

Modifies the open verb of a shell class

Creates a software uninstall entry

Creates COM task schedule object

Reads Environment values

INFO

Low-level read access rights to disk partition

Loads dropped or rewritten executable

Searches for installed software

Application launched itself

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings