File name: | fegrgre.exe |
Full analysis: | https://app.any.run/tasks/7a1d8a19-99a1-47f2-83c0-b4fd30f4e189 |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 07:18:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 7955A000C54353D47D8AA83CE2CF465D |
SHA1: | 32239C14026E799B96908CFC104CDB38D82C2E4B |
SHA256: | 43A50C0036B80B7640F0E282364F0212D2334CB599A9D1F4433A399CC46AA9B6 |
SSDEEP: | 6144:GF4p+COS6Izisa8ZjtKpeYOHL7F8IxmcIuoRmFd3U5IYjFcG:S7hwva8ZhKpor7uIxmcvo4FdUGG |
.exe | | | NSIS - Nullsoft Scriptable Install System (91.9) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (3.3) |
.exe | | | Win64 Executable (generic) (3) |
.dll | | | Win32 Dynamic Link Library (generic) (0.7) |
.exe | | | Win32 Executable (generic) (0.4) |
ProductName: | FirePlayer |
---|---|
LegalCopyright: | (c) 2015 |
FileVersion: | 3.0.0.0 |
FileDescription: | FirePlayer |
CompanyName: | - |
CharacterSet: | Windows, Latin1 |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 3.0.0.0 |
FileVersionNumber: | 3.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x30c2 |
UninitializedDataSize: | 1024 |
InitializedDataSize: | 119808 |
CodeSize: | 23040 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2008:12:20 13:40:58+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 20-Dec-2008 12:40:58 |
Detected languages: |
|
CompanyName: | - |
FileDescription: | FirePlayer |
FileVersion: | 3.0.0.0 |
LegalCopyright: | (c) 2015 |
ProductName: | FirePlayer |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 20-Dec-2008 12:40:58 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000058C2 | 0x00005A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.43003 |
.rdata | 0x00007000 | 0x00001190 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.17644 |
.data | 0x00009000 | 0x0001AF78 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.61697 |
.ndata | 0x00024000 | 0x00010000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00034000 | 0x00004208 | 0x00004400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.24702 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.08494 | 733 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 1.46152 | 3752 | UNKNOWN | English - United States | RT_ICON |
3 | 0 | 2216 | UNKNOWN | English - United States | RT_ICON |
4 | 0 | 1384 | UNKNOWN | English - United States | RT_ICON |
5 | 0 | 1128 | UNKNOWN | English - United States | RT_ICON |
6 | 0 | 744 | UNKNOWN | English - United States | RT_ICON |
7 | 0 | 296 | UNKNOWN | English - United States | RT_ICON |
103 | 3.31223 | 104 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.69888 | 548 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3052 | "C:\Users\admin\AppData\Local\Temp\fegrgre.exe" | C:\Users\admin\AppData\Local\Temp\fegrgre.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: FirePlayer Exit code: 3221226540 Version: 3.0.0.0 | ||||
3932 | "C:\Users\admin\AppData\Local\Temp\fegrgre.exe" | C:\Users\admin\AppData\Local\Temp\fegrgre.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: FirePlayer Exit code: 0 Version: 3.0.0.0 | ||||
3840 | fireplayr.exe | C:\Program Files\FirePlayer\fireplayr.exe | fegrgre.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3412 | "C:\Program Files\FirePlayer\helper.exe" -fireplayer.exe | C:\Program Files\FirePlayer\helper.exe | — | fireplayr.exe |
User: admin Company: Installer Technology Co. Integrity Level: HIGH Description: Open Software Updater Uninstall Component Exit code: 0 Version: 1.0.0.1 | ||||
1380 | "C:\Program Files\FirePlayer\FirePlayer.exe" | C:\Program Files\FirePlayer\FirePlayer.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: FirePlayer Exit code: 3221225477 Version: 1.0.0.2 | ||||
2592 | C:\Windows\system32\WerFault.exe -u -p 1380 -s 436 | C:\Windows\system32\WerFault.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3544 | "C:\Program Files\FirePlayer\FirePlayer.exe" | C:\Program Files\FirePlayer\FirePlayer.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: FirePlayer Exit code: 3221225477 Version: 1.0.0.2 | ||||
2764 | C:\Windows\system32\WerFault.exe -u -p 3544 -s 432 | C:\Windows\system32\WerFault.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3840 | fireplayr.exe | C:\Windows\Fonts\coolvetica_rg.ttf | ttf | |
MD5:4F9C46C1BDC961ED94EB04475BE1237C | SHA256:0A51B7D1F9987406AEB8E07CDB4EEDDA00A2AF7146D6112D1CCA05E341E45035 | |||
3932 | fegrgre.exe | C:\Program Files\FirePlayer\fireplayr.exe | executable | |
MD5:BB06E34C0C5B83C08C8F5D2A666011D6 | SHA256:6F3472679B860437C85EF9513E44B1D789E6CE64CF710FBE8644D04324AB5721 | |||
3932 | fegrgre.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\fireplayr_setup_component[1].exe | executable | |
MD5:BB06E34C0C5B83C08C8F5D2A666011D6 | SHA256:6F3472679B860437C85EF9513E44B1D789E6CE64CF710FBE8644D04324AB5721 | |||
3840 | fireplayr.exe | C:\Program Files\FirePlayer\avfilter-5.dll | executable | |
MD5:E948A8E9E237E547F091E2F6830E8462 | SHA256:3D2DAA76821B148CA4B4A79524D3EBDE975B0699E8DA8E690C3B37DAF7B92715 | |||
3932 | fegrgre.exe | C:\Users\admin\AppData\Local\Temp\nsv52.tmp\TopLogo1.bmp | image | |
MD5:B7BC2601F184F7AF24FCAD2DEB5684B4 | SHA256:9259068CECC4FD9D46FAC213D42EC014017323F607ABC38006D12F0E448A7724 | |||
3840 | fireplayr.exe | C:\Program Files\FirePlayer\helper.exe | executable | |
MD5:DFA4AE9C03DD5DD44AD1EB97F4E834CB | SHA256:F13BDD164282AEDF86CE49B5A3278A4D6ED25A4E0B95F2D8782B394D15528E5B | |||
3932 | fegrgre.exe | C:\Users\admin\AppData\Local\Temp\nsv52.tmp\inetc.dll | executable | |
MD5:C8145FCAE89E1FAE96F4E00B4AF0FDF9 | SHA256:A52947C70A9F6FD50573DFB5075D5513945DD7CDD0BE98489FF88771A5946170 | |||
3932 | fegrgre.exe | C:\Users\admin\AppData\Local\Temp\nsv52.tmp\Banner.dll | executable | |
MD5:724775057FE3B1ADC5A300C5500F4D50 | SHA256:1021A2C9799F031943428D2DF4A179C3AA0A1333286CDC0EF705395076BE053E | |||
3932 | fegrgre.exe | C:\Users\admin\AppData\Local\Temp\nsv52.tmp\Dialogs.dll | executable | |
MD5:E5AA0927211A4D4B3E031F47BA439C8C | SHA256:D7B8C119BF02E1EB9008CF3AFCAC9E6C514522DDCFA11C8B77696ECE8F80F45A | |||
3932 | fegrgre.exe | C:\Users\admin\AppData\Local\Temp\nsv52.tmp\nsDialogs.dll | executable | |
MD5:81F3A42E13F56DD241E838D6E90D7E65 | SHA256:908ED8726550D255CBBB2E3F1172A57B16087315A96E95D3BF9EDA5D5A9C6326 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3932 | fegrgre.exe | 104.18.71.49:443 | installer.fireplayr.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
installer.fireplayr.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3932 | fegrgre.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |