File name:

fegrgre.exe

Full analysis: https://app.any.run/tasks/7a1d8a19-99a1-47f2-83c0-b4fd30f4e189
Verdict: Malicious activity
Analysis date: April 15, 2019, 07:18:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

7955A000C54353D47D8AA83CE2CF465D

SHA1:

32239C14026E799B96908CFC104CDB38D82C2E4B

SHA256:

43A50C0036B80B7640F0E282364F0212D2334CB599A9D1F4433A399CC46AA9B6

SSDEEP:

6144:GF4p+COS6Izisa8ZjtKpeYOHL7F8IxmcIuoRmFd3U5IYjFcG:S7hwva8ZhKpor7uIxmcvo4FdUGG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • fegrgre.exe (PID: 3932)
      • fireplayr.exe (PID: 3840)
      • FirePlayer.exe (PID: 1380)
      • WerFault.exe (PID: 2592)
      • FirePlayer.exe (PID: 3544)
      • WerFault.exe (PID: 2764)

    • Changes settings of System certificates

      • fegrgre.exe (PID: 3932)

    • Application was dropped or rewritten from another process

      • fireplayr.exe (PID: 3840)
      • helper.exe (PID: 3412)
      • FirePlayer.exe (PID: 3544)
      • FirePlayer.exe (PID: 1380)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • fegrgre.exe (PID: 3932)
      • fireplayr.exe (PID: 3840)

    • Creates files in the program directory

      • fegrgre.exe (PID: 3932)
      • fireplayr.exe (PID: 3840)

    • Adds / modifies Windows certificates

      • fegrgre.exe (PID: 3932)

    • Creates files in the user directory

      • fegrgre.exe (PID: 3932)

    • Creates files in the Windows directory

      • fireplayr.exe (PID: 3840)

    • Modifies the open verb of a shell class

      • fireplayr.exe (PID: 3840)

    • Creates a software uninstall entry

      • fireplayr.exe (PID: 3840)

  • INFO

    • Application was crashed

      • FirePlayer.exe (PID: 1380)
      • FirePlayer.exe (PID: 3544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:12:20 13:40:58+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 23040
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x30c2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.0.0.0
ProductVersionNumber: 3.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: -
FileDescription: FirePlayer
FileVersion: 3.0.0.0
LegalCopyright: (c) 2015
ProductName: FirePlayer

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Dec-2008 12:40:58
Detected languages:
  • English - United States
CompanyName: -
FileDescription: FirePlayer
FileVersion: 3.0.0.0
LegalCopyright: (c) 2015
ProductName: FirePlayer

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 20-Dec-2008 12:40:58
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000058C2
0x00005A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.43003
.rdata
0x00007000
0x00001190
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.17644
.data
0x00009000
0x0001AF78
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.61697
.ndata
0x00024000
0x00010000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00034000
0x00004208
0x00004400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.24702

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.08494
733
UNKNOWN
English - United States
RT_MANIFEST
2
1.46152
3752
UNKNOWN
English - United States
RT_ICON
3
0
2216
UNKNOWN
English - United States
RT_ICON
4
0
1384
UNKNOWN
English - United States
RT_ICON
5
0
1128
UNKNOWN
English - United States
RT_ICON
6
0
744
UNKNOWN
English - United States
RT_ICON
7
0
296
UNKNOWN
English - United States
RT_ICON
103
3.31223
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.69888
548
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start fegrgre.exe fireplayr.exe helper.exe no specs fireplayer.exe werfault.exe no specs fireplayer.exe werfault.exe no specs fegrgre.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1380"C:\Program Files\FirePlayer\FirePlayer.exe" C:\Program Files\FirePlayer\FirePlayer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FirePlayer
Exit code:
3221225477
Version:
1.0.0.2
Modules
Images
c:\program files\fireplayer\fireplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\fireplayer\avutil-54.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\fireplayer\swscale-3.dll
2592C:\Windows\system32\WerFault.exe -u -p 1380 -s 436C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2764C:\Windows\system32\WerFault.exe -u -p 3544 -s 432C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3052"C:\Users\admin\AppData\Local\Temp\fegrgre.exe" C:\Users\admin\AppData\Local\Temp\fegrgre.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FirePlayer
Exit code:
3221226540
Version:
3.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\fegrgre.exe
c:\systemroot\system32\ntdll.dll
3412"C:\Program Files\FirePlayer\helper.exe" -fireplayer.exeC:\Program Files\FirePlayer\helper.exefireplayr.exe
User:
admin
Company:
Installer Technology Co.
Integrity Level:
HIGH
Description:
Open Software Updater Uninstall Component
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files\fireplayer\helper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
3544"C:\Program Files\FirePlayer\FirePlayer.exe" C:\Program Files\FirePlayer\FirePlayer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FirePlayer
Exit code:
3221225477
Version:
1.0.0.2
Modules
Images
c:\program files\fireplayer\fireplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\fireplayer\avutil-54.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\fireplayer\swscale-3.dll
3840fireplayr.exeC:\Program Files\FirePlayer\fireplayr.exe
fegrgre.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\fireplayer\fireplayr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
3932"C:\Users\admin\AppData\Local\Temp\fegrgre.exe" C:\Users\admin\AppData\Local\Temp\fegrgre.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
FirePlayer
Exit code:
0
Version:
3.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\fegrgre.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
637
Read events
561
Write events
76
Delete events
0

Modification events

(PID) Process:(3932) fegrgre.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3932) fegrgre.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3932) fegrgre.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3932) fegrgre.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3932) fegrgre.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3932) fegrgre.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3932) fegrgre.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3932) fegrgre.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3932) fegrgre.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3932) fegrgre.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fegrgre_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
25
Suspicious files
4
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
3932fegrgre.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@fireplayr[1].txttext
MD5:
SHA256:
3932fegrgre.exeC:\Program Files\FirePlayer\fireplayr.exeexecutable
MD5:
SHA256:
3932fegrgre.exeC:\Users\admin\AppData\Local\Temp\nsv52.tmp\Banner.dllexecutable
MD5:724775057FE3B1ADC5A300C5500F4D50
SHA256:724D8D3CF658078957A4FEE9B0EF9B4C2D6A24DABDA5FD171F8DD3C85FEB9089
3932fegrgre.exeC:\Users\admin\AppData\Local\Temp\nsv52.tmp\System.dllexecutable
MD5:68EDAAFEF887C72F0D85D4D64B6CBF52
SHA256:7D8CE82F2B89F544ED90CC8FEBFCFA57B32D2C8600BB77F79BC8D8980F0F7477
3932fegrgre.exeC:\Users\admin\AppData\Local\Temp\nsv52.tmp\Dialogs.dllexecutable
MD5:E5AA0927211A4D4B3E031F47BA439C8C
SHA256:05A26836196F1031EE7A9CA96C67FE99B4A5548A43A453C8D0AA6D052C32408C
3840fireplayr.exeC:\Program Files\FirePlayer\helper.exeexecutable
MD5:
SHA256:
3932fegrgre.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\fireplayr_setup_component[1].exeexecutable
MD5:
SHA256:
3840fireplayr.exeC:\Program Files\FirePlayer\avcodec-56.dllexecutable
MD5:E638B69AC85EA4FFD53A4E9069428337
SHA256:1E682257833BE9EF7004ACB46CE3B7CBE03E802BAF83B5E25C9E63DFF7CF103A
3932fegrgre.exeC:\Users\admin\AppData\Local\Temp\nsv52.tmp\nsDialogs.dllexecutable
MD5:81F3A42E13F56DD241E838D6E90D7E65
SHA256:908ED8726550D255CBBB2E3F1172A57B16087315A96E95D3BF9EDA5D5A9C6326
3840fireplayr.exeC:\Program Files\FirePlayer\FirePlayer.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3932
fegrgre.exe
104.18.71.49:443
installer.fireplayr.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
installer.fireplayr.com
  • 104.18.71.49
  • 104.18.70.49
unknown

Threats

PID
Process
Class
Message
3932
fegrgre.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fegrgre.exe