General Info

File name

fegrgre.exe

Full analysis
https://app.any.run/tasks/7a1d8a19-99a1-47f2-83c0-b4fd30f4e189
Verdict
Malicious activity
Analysis date
4/15/2019, 09:18:12
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5

7955a000c54353d47d8aa83ce2cf465d

SHA1

32239c14026e799b96908cfc104cdb38d82c2e4b

SHA256

43a50c0036b80b7640f0e282364f0212d2334cb599a9d1f4433a399cc46aa9b6

SSDEEP

6144:GF4p+COS6Izisa8ZjtKpeYOHL7F8IxmcIuoRmFd3U5IYjFcG:S7hwva8ZhKpor7uIxmcvo4FdUGG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • FirePlayer.exe (PID: 1380)
  • FirePlayer.exe (PID: 3544)
  • WerFault.exe (PID: 2592)
  • WerFault.exe (PID: 2764)
  • fireplayr.exe (PID: 3840)
  • fegrgre.exe (PID: 3932)
Application was dropped or rewritten from another process
  • helper.exe (PID: 3412)
  • FirePlayer.exe (PID: 3544)
  • FirePlayer.exe (PID: 1380)
  • fireplayr.exe (PID: 3840)
Changes settings of System certificates
  • fegrgre.exe (PID: 3932)
Creates a software uninstall entry
  • fireplayr.exe (PID: 3840)
Modifies the open verb of a shell class
  • fireplayr.exe (PID: 3840)
Creates files in the program directory
  • fireplayr.exe (PID: 3840)
  • fegrgre.exe (PID: 3932)
Creates files in the Windows directory
  • fireplayr.exe (PID: 3840)
Executable content was dropped or overwritten
  • fireplayr.exe (PID: 3840)
  • fegrgre.exe (PID: 3932)
Adds / modifies Windows certificates
  • fegrgre.exe (PID: 3932)
Creates files in the user directory
  • fegrgre.exe (PID: 3932)
Application was crashed
  • FirePlayer.exe (PID: 1380)
  • FirePlayer.exe (PID: 3544)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   NSIS - Nullsoft Scriptable Install System (91.9%)
.exe
|   Win32 Executable MS Visual C++ (generic) (3.3%)
.exe
|   Win64 Executable (generic) (3%)
.dll
|   Win32 Dynamic Link Library (generic) (0.7%)
.exe
|   Win32 Executable (generic) (0.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2008:12:20 13:40:58+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
23040
InitializedDataSize:
119808
UninitializedDataSize:
1024
EntryPoint:
0x30c2
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
3.0.0.0
ProductVersionNumber:
3.0.0.0
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Windows, Latin1
CompanyName:
null
FileDescription:
FirePlayer
FileVersion:
3.0.0.0
LegalCopyright:
(c) 2015
ProductName:
FirePlayer
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
20-Dec-2008 12:40:58
Detected languages
English - United States
CompanyName:
null
FileDescription:
FirePlayer
FileVersion:
3.0.0.0
LegalCopyright:
(c) 2015
ProductName:
FirePlayer
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000D0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
20-Dec-2008 12:40:58
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000058C2 0x00005A00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.43003
.rdata 0x00007000 0x00001190 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.17644
.data 0x00009000 0x0001AF78 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.61697
.ndata 0x00024000 0x00010000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00034000 0x00004208 0x00004400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 2.24702
Resources
1

2

3

4

5

6

7

103

105

106

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

    VERSION.dll

Exports

    No exports.

Screenshots

Processes

Total processes
44
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

+
drop and start start drop and start fegrgre.exe no specs fegrgre.exe fireplayr.exe helper.exe no specs fireplayer.exe werfault.exe no specs fireplayer.exe werfault.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3052
CMD
"C:\Users\admin\AppData\Local\Temp\fegrgre.exe"
Path
C:\Users\admin\AppData\Local\Temp\fegrgre.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
FirePlayer
Version
3.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\fegrgre.exe
c:\systemroot\system32\ntdll.dll

PID
3932
CMD
"C:\Users\admin\AppData\Local\Temp\fegrgre.exe"
Path
C:\Users\admin\AppData\Local\Temp\fegrgre.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
FirePlayer
Version
3.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\fegrgre.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nsv52.tmp\system.dll
c:\users\admin\appdata\local\temp\nsv52.tmp\banner.dll
c:\windows\system32\uxtheme.dll
c:\users\admin\appdata\local\temp\nsv52.tmp\dialogs.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\riched20.dll
c:\users\admin\appdata\local\temp\nsv52.tmp\nsdialogs.dll
c:\users\admin\appdata\local\temp\nsv52.tmp\inetc.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gpapi.dll
c:\program files\fireplayer\fireplayr.exe

PID
3840
CMD
fireplayr.exe
Path
C:\Program Files\FirePlayer\fireplayr.exe
Indicators
Parent process
fegrgre.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\program files\fireplayer\fireplayr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\users\admin\appdata\local\temp\nsz3d7a.tmp\system.dll
c:\users\admin\appdata\local\temp\nsz3d7a.tmp\fontname.dll
c:\windows\system32\crtdll.dll
c:\program files\fireplayer\helper.exe
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\fireplayer\fireplayer.exe
c:\windows\system32\netutils.dll

PID
3412
CMD
"C:\Program Files\FirePlayer\helper.exe" -fireplayer.exe
Path
C:\Program Files\FirePlayer\helper.exe
Indicators
No indicators
Parent process
fireplayr.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Installer Technology Co.
Description
Open Software Updater Uninstall Component
Version
1.0.0.1
Modules
Image
c:\program files\fireplayer\helper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\oledlg.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winmm.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll

PID
1380
CMD
"C:\Program Files\FirePlayer\FirePlayer.exe"
Path
C:\Program Files\FirePlayer\FirePlayer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221225477
Version:
Company
Description
FirePlayer
Version
1.0.0.2
Modules
Image
c:\program files\fireplayer\fireplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\fireplayer\avutil-54.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\fireplayer\swscale-3.dll
c:\program files\fireplayer\avformat-56.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\fireplayer\avcodec-56.dll
c:\program files\fireplayer\swresample-1.dll
c:\program files\fireplayer\avfilter-5.dll
c:\program files\fireplayer\postproc-53.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\program files\fireplayer\sdl2.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\dwmapi.dll
c:\program files\fireplayer\d3dx9_35.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\winspool.drv
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oledlg.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\audioses.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\windowscodecs.dll

PID
2592
CMD
C:\Windows\system32\WerFault.exe -u -p 1380 -s 436
Path
C:\Windows\system32\WerFault.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Problem Reporting
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wer.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\faultrep.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\program files\fireplayer\fireplayer.exe
c:\windows\system32\dbgeng.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\werui.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dui70.dll
c:\windows\system32\duser.dll
c:\windows\system32\riched20.dll
c:\windows\system32\shell32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\program files\fireplayer\avutil-54.dll
c:\program files\fireplayer\swscale-3.dll
c:\program files\fireplayer\avformat-56.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\fireplayer\avcodec-56.dll
c:\program files\fireplayer\swresample-1.dll
c:\program files\fireplayer\avfilter-5.dll
c:\program files\fireplayer\postproc-53.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\program files\fireplayer\sdl2.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\program files\fireplayer\d3dx9_35.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\oledlg.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\dsound.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\audioses.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\windowscodecs.dll

PID
3544
CMD
"C:\Program Files\FirePlayer\FirePlayer.exe"
Path
C:\Program Files\FirePlayer\FirePlayer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221225477
Version:
Company
Description
FirePlayer
Version
1.0.0.2
Modules
Image
c:\program files\fireplayer\fireplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\fireplayer\avutil-54.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\fireplayer\swscale-3.dll
c:\program files\fireplayer\avformat-56.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\fireplayer\avcodec-56.dll
c:\program files\fireplayer\swresample-1.dll
c:\program files\fireplayer\avfilter-5.dll
c:\program files\fireplayer\postproc-53.dll
c:\windows\system32\version.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\program files\fireplayer\sdl2.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\dwmapi.dll
c:\program files\fireplayer\d3dx9_35.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\winspool.drv
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oledlg.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\audioses.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\windowscodecs.dll

PID
2764
CMD
C:\Windows\system32\WerFault.exe -u -p 3544 -s 432
Path
C:\Windows\system32\WerFault.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Problem Reporting
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wer.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\faultrep.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\program files\fireplayer\fireplayer.exe
c:\windows\system32\dbgeng.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\werui.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dui70.dll
c:\windows\system32\duser.dll
c:\windows\system32\riched20.dll
c:\windows\system32\shell32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\program files\fireplayer\avutil-54.dll
c:\program files\fireplayer\swscale-3.dll
c:\program files\fireplayer\avformat-56.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\fireplayer\avcodec-56.dll
c:\program files\fireplayer\swresample-1.dll
c:\program files\fireplayer\avfilter-5.dll
c:\program files\fireplayer\postproc-53.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\program files\fireplayer\sdl2.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\program files\fireplayer\d3dx9_35.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\oledlg.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\dsound.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\audioses.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\windowscodecs.dll

Registry activity

Total events
637
Read events
561
Write events
76
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
EnableFileTracing
0
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
EnableConsoleTracing
0
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
FileTracingMask
4294901760
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
ConsoleTracingMask
4294901760
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
MaxFileSize
1048576
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
FileDirectory
%windir%\tracing
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASMANCS
EnableFileTracing
0
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASMANCS
EnableConsoleTracing
0
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASMANCS
FileTracingMask
4294901760
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASMANCS
ConsoleTracingMask
4294901760
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASMANCS
MaxFileSize
1048576
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASMANCS
FileDirectory
%windir%\tracing
3932
fegrgre.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3932
fegrgre.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3932
fegrgre.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3932
fegrgre.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3932
fegrgre.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3932
fegrgre.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810B000000010000000E00000074006800610077007400650000001D00000001000000100000005B3B67000EEB80022E42605B6B3B72401400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B060105050703030F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
CoolveticaRg-Regular (TrueType)
coolvetica_rg.ttf
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avi
backup_val
VLC.avi
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avi
FirePlayer.AVI
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.AVI
FirePlayer.AVI
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.AVI\shell
open
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.AVI\DefaultIcon
C:\Program Files\FirePlayer\FirePlayer.exe,0
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.AVI\shell\open\command
"C:\Program Files\FirePlayer\FirePlayer.exe" "%1"
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.AVI\shell\edit
Edit FirePlayer.AVI
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.AVI\shell\edit\command
"C:\Program Files\FirePlayer\FirePlayer.exe" "%1"
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mkv
backup_val
VLC.mkv
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mkv
FirePlayer.MKV
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MKV
FirePlayer.MKV
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MKV\shell
open
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MKV\DefaultIcon
C:\Program Files\FirePlayer\FirePlayer.exe,0
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MKV\shell\open\command
"C:\Program Files\FirePlayer\FirePlayer.exe" "%1"
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MKV\shell\edit
Edit FirePlayer.MKV
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MKV\shell\edit\command
"C:\Program Files\FirePlayer\FirePlayer.exe" "%1"
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mov
backup_val
VLC.mov
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mov
FirePlayer.MOV
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MOV
FirePlayer.MOV
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MOV\shell
open
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MOV\DefaultIcon
C:\Program Files\FirePlayer\FirePlayer.exe,0
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MOV\shell\open\command
"C:\Program Files\FirePlayer\FirePlayer.exe" "%1"
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MOV\shell\edit
Edit FirePlayer.MOV
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MOV\shell\edit\command
"C:\Program Files\FirePlayer\FirePlayer.exe" "%1"
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mpg
backup_val
VLC.mpg
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mpg
FirePlayer.MPG
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MPG
FirePlayer.MPG
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MPG\shell
open
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MPG\DefaultIcon
C:\Program Files\FirePlayer\FirePlayer.exe,0
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MPG\shell\open\command
"C:\Program Files\FirePlayer\FirePlayer.exe" "%1"
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MPG\shell\edit
Edit FirePlayer.MPG
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MPG\shell\edit\command
"C:\Program Files\FirePlayer\FirePlayer.exe" "%1"
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mp4
backup_val
VLC.mp4
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mp4
FirePlayer.MP4
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MP4
FirePlayer.MP4
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MP4\shell
open
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MP4\DefaultIcon
C:\Program Files\FirePlayer\FirePlayer.exe,0
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MP4\shell\open\command
"C:\Program Files\FirePlayer\FirePlayer.exe" "%1"
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MP4\shell\edit
Edit FirePlayer.MP4
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirePlayer.MP4\shell\edit\command
"C:\Program Files\FirePlayer\FirePlayer.exe" "%1"
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\FirePlayer
C:\Program Files\FirePlayer
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FirePlayer
DisplayName
FirePlayer
3840
fireplayr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FirePlayer
UninstallString
C:\Program Files\FirePlayer\uninstall.exe
1380
FirePlayer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
FirePlayer.exe
3544
FirePlayer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
FirePlayer.exe

Files activity

Executable files
25
Suspicious files
4
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
3932
fegrgre.exe
C:\Users\admin\AppData\Local\Temp\nsv52.tmp\System.dll
executable
MD5: 68edaafef887c72f0d85d4d64b6cbf52
SHA256: 7d8ce82f2b89f544ed90cc8febfcfa57b32d2c8600bb77f79bc8d8980f0f7477
3840
fireplayr.exe
C:\Program Files\FirePlayer\D3DX9_40.dll
executable
MD5: eea5e428ce63804f9b12d21c97b5968f
SHA256: 16fd909aeb68d0d1aca8529dc7f78880b97d6649d70ce8d03a2c858bc28e216b
3840
fireplayr.exe
C:\Program Files\FirePlayer\D3DX9_37.dll
executable
MD5: ac3c517fb0fbbe45fe44007bcd3625a7
SHA256: c2ccb84c672a9d8966e82a28005a4269886ee304972ac3590c0b8a9c1622a3d8
3932
fegrgre.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\fireplayr_setup_component[1].exe
executable
MD5: bb06e34c0c5b83c08c8f5d2a666011d6
SHA256: 6f3472679b860437c85ef9513e44b1d789e6ce64cf710fbe8644d04324ab5721
3840
fireplayr.exe
C:\Program Files\FirePlayer\FirePlayer.exe
executable
MD5: 7587440f7b5a08f5693849bb679d67fc
SHA256: c0f95a6d6fae7924fdcbb7ad272090498dd64dadabd116c417f9b9c18a55f299
3840
fireplayr.exe
C:\Program Files\FirePlayer\D3DX9_43.dll
executable
MD5: 86e39e9161c3d930d93822f1563c280d
SHA256: 0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f
3840
fireplayr.exe
C:\Program Files\FirePlayer\avutil-54.dll
executable
MD5: ed470eef2d3eba8464c66e75e5e259be
SHA256: 2c1585d1b57e369323cca7ae77f98a4206fd80e0bf137c1bfe96c78e15309287
3932
fegrgre.exe
C:\Users\admin\AppData\Local\Temp\nsv52.tmp\inetc.dll
executable
MD5: c8145fcae89e1fae96f4e00b4af0fdf9
SHA256: a52947c70a9f6fd50573dfb5075d5513945dd7cdd0be98489ff88771a5946170
3840
fireplayr.exe
C:\Program Files\FirePlayer\avformat-56.dll
executable
MD5: d2b36b9ee9f702000b64040737c92a1a
SHA256: 326748c8d35e1d5c8da2df78529758c2a59df8eef558a07c6a601b4e1fe22778
3932
fegrgre.exe
C:\Users\admin\AppData\Local\Temp\nsv52.tmp\nsDialogs.dll
executable
MD5: 81f3a42e13f56dd241e838d6e90d7e65
SHA256: 908ed8726550d255cbbb2e3f1172a57b16087315a96e95d3bf9eda5d5a9c6326
3840
fireplayr.exe
C:\Program Files\FirePlayer\avfilter-5.dll
executable
MD5: e948a8e9e237e547f091e2f6830e8462
SHA256: 3d2daa76821b148ca4b4a79524d3ebde975b0699e8da8e690c3b37daf7b92715
3840
fireplayr.exe
C:\Program Files\FirePlayer\postproc-53.dll
executable
MD5: 0dfccc9b44bc4235df7c8417eef148fa
SHA256: 459f4f3b8226dca07f842ce5fbfa8150b9d8c2fdddda1e056cefce7216f58541
3840
fireplayr.exe
C:\Users\admin\AppData\Local\Temp\nsz3D7A.tmp\System.dll
executable
MD5: c6f5b9596db45ce43f14b64e0fbcf552
SHA256: 4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0
3840
fireplayr.exe
C:\Program Files\FirePlayer\swresample-1.dll
executable
MD5: b064089a9a58a4e1568a5bdaa2199df5
SHA256: 74e6965267f44e5368de3056dc4f594735cdbbb3072171af806260e8e0756d74
3840
fireplayr.exe
C:\Program Files\FirePlayer\avdevice-56.dll
executable
MD5: 19478c7673667dc4383b116ea3868957
SHA256: fd6074b957bfd7fb857da5ab2d8df8e09844582efbc2da2483b899fa9f9e3722
3932
fegrgre.exe
C:\Program Files\FirePlayer\fireplayr.exe
executable
MD5: bb06e34c0c5b83c08c8f5d2a666011d6
SHA256: 6f3472679b860437c85ef9513e44b1d789e6ce64cf710fbe8644d04324ab5721
3932
fegrgre.exe
C:\Users\admin\AppData\Local\Temp\nsv52.tmp\Banner.dll
executable
MD5: 724775057fe3b1adc5a300c5500f4d50
SHA256: 1021a2c9799f031943428d2df4a179c3aa0a1333286cdc0ef705395076be053e
3840
fireplayr.exe
C:\Program Files\FirePlayer\swscale-3.dll
executable
MD5: 2d20117770518e142c0c24b1a61e2f9d
SHA256: 08de6cab152eead60f8b7c35e6ad23b8c7ad22f9f851e7649199e36cb2058376
3840
fireplayr.exe
C:\Program Files\FirePlayer\avcodec-56.dll
executable
MD5: e638b69ac85ea4ffd53a4e9069428337
SHA256: 1e682257833be9ef7004acb46ce3b7cbe03e802baf83b5e25c9e63dff7cf103a
3840
fireplayr.exe
C:\Program Files\FirePlayer\helper.exe
executable
MD5: dfa4ae9c03dd5dd44ad1eb97f4e834cb
SHA256: f13bdd164282aedf86ce49b5a3278a4d6ed25a4e0b95f2d8782b394d15528e5b
3840
fireplayr.exe
C:\Program Files\FirePlayer\SDL2.dll
executable
MD5: ae58662a16410481b477b78b8d47460b
SHA256: a23d944bea101c574875c13883088798cfda712de969dd14f529e870a0de87da
3840
fireplayr.exe
C:\Users\admin\AppData\Local\Temp\nsz3D7A.tmp\FontName.dll
executable
MD5: 80fc669a19766341bf93e0814f206b07
SHA256: 6f199ea45550e187d89dde24ec23fa64897c876abe98dec33d7b78363dd87ebc
3840
fireplayr.exe
C:\Program Files\FirePlayer\d3dx9_35.dll
executable
MD5: 3ef18b78d17c962f2b71ac1cb7757684
SHA256: 2198022938156b790e9cfb0f7997494b66a11a1ad49b395be58251d635b66b26
3840
fireplayr.exe
C:\Program Files\FirePlayer\uninstall.exe
executable
MD5: 95f5ded53e1d33ac5d2b135277dbf227
SHA256: 459dd9aa24c2ac4a71cd7c64e22599878399f7d6b79549062ef343e405c91e62
3932
fegrgre.exe
C:\Users\admin\AppData\Local\Temp\nsv52.tmp\Dialogs.dll
executable
MD5: e5aa0927211a4d4b3e031f47ba439c8c
SHA256: d7b8c119bf02e1eb9008cf3afcac9e6c514522ddcfa11c8b77696ece8f80f45a
3840
fireplayr.exe
C:\Program Files\FirePlayer\languages\english.lng
text
MD5: 5e6b8517060f50cad277613f70dd4921
SHA256: f1f7805b107b3f7e8a117b69b798d50208a9cebb4fe980790f1a2431c4f9f471
3932
fegrgre.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: c4b4cfff4a9cffcc085998014329922a
SHA256: 9ec0cdcaf3399c7163ef7d35bb22e27a54d8cc69a5882b7eac38710ab5079ed3
3840
fireplayr.exe
C:\Windows\Fonts\coolvetica_rg.ttf
ttf
MD5: 4f9c46c1bdc961ed94eb04475be1237c
SHA256: 0a51b7d1f9987406aeb8e07cdb4eedda00a2af7146d6112d1cca05e341e45035
3840
fireplayr.exe
C:\Program Files\FirePlayer\languages\russian.lng
text
MD5: 655408ed583a0da2f805d8dc939f3e8d
SHA256: 75cb629d80e9d47108e4b9a1ff1d8cb9d075d49d9d3dbe9c751d0d03b37ec960
3840
fireplayr.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FirePlayer\Uninstall.lnk
lnk
MD5: abb0eeb2e3572572df60069820e83a9e
SHA256: 2649386250d5bdf6608ffb0772e946a2b3f33428003947b02c0ad342a1eff983
3840
fireplayr.exe
C:\Users\Public\Desktop\FirePlayer.lnk
lnk
MD5: b65312f6815946ed9e2ac6c65a6a6a7f
SHA256: b1c28083077206b12e8e89732e8b8834df20fead8dac23f1c26c6de20cfc268e
3840
fireplayr.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FirePlayer\FirePlayer.lnk
lnk
MD5: 70de9be8a0871801a7e0de0bda5b3bf5
SHA256: f2824ab98b143a42c6b56c6d929dd1c2512e58a496b4577120e6b3c83c4e94d3
2764
WerFault.exe
C:\Users\admin\AppData\Local\CrashDumps\FirePlayer.exe.3544.dmp
––
MD5:  ––
SHA256:  ––
2592
WerFault.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_FirePlayer.exe_1882137c720412f38f1acee67ea3f5e72e8a_0a337e1c\Report.wer
binary
MD5: fa2bc9e835be6dad4311484dd5b7df0e
SHA256: e487d5f4503af233b1d676e005c682fe02a046a5998cc0b03ed9910b65899733
2592
WerFault.exe
C:\Users\admin\AppData\Local\CrashDumps\FirePlayer.exe.1380.dmp
––
MD5:  ––
SHA256:  ––
3932
fegrgre.exe
C:\Users\admin\AppData\Local\Temp\nsv52.tmp\TopLogo1.bmp
image
MD5: b7bc2601f184f7af24fcad2deb5684b4
SHA256: 9259068cecc4fd9d46fac213d42ec014017323f607abc38006d12f0e448a7724
1380
FirePlayer.exe
C:\Users\admin\AppData\Local\Temp\~DF3F88617F696259A0.TMP
binary
MD5: 9e731dc5cd363bc1b0c0acb47b8360a1
SHA256: a1a5406249cbb91e42c469542783609935f59635216dd93c54532aa7f7dc8d7a
2764
WerFault.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_FirePlayer.exe_1882137c720412f38f1acee67ea3f5e72e8a_0adf9bc6\Report.wer
binary
MD5: 6f0835bbbf5f4d16180b561b1451534a
SHA256: ba29796573c7fbe5aa235e12306e379e742bb4407fd96c5357c764dcb1a54504
3544
FirePlayer.exe
C:\Users\admin\AppData\Local\Temp\~DF6A1F6B618997A274.TMP
binary
MD5: 9e731dc5cd363bc1b0c0acb47b8360a1
SHA256: a1a5406249cbb91e42c469542783609935f59635216dd93c54532aa7f7dc8d7a

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
1

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3932 fegrgre.exe 104.18.71.49:443 Cloudflare Inc US unknown

DNS requests

Domain IP Reputation
installer.fireplayr.com 104.18.71.49
104.18.70.49
unknown

Threats

PID Process Class Message
3932 fegrgre.exe Generic Protocol Command Decode SURICATA STREAM excessive retransmissions

Debug output strings

No debug info.