download:

freefixersetup.exe

Full analysis: https://app.any.run/tasks/d1e79a66-0567-434f-8b64-de45ad2d3426
Verdict: Malicious activity
Analysis date: September 04, 2018, 11:17:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

4B0BE16956BB11C2A076901366367CD9

SHA1:

6B89B7773354E64A6B04F46DB6EB0C3E6234A0EE

SHA256:

E6E592282C822779015484094E2557A5E9987FFEBF9E465EA4B8BCECAA53920C

SSDEEP:

49152:2i0+tWJOUToh0ZOup2KsR/ZxiAe1mKxxMBvTZ+IlbfGElNdCAjiIG8xL:APjORR/fP0PxMFtGElaUNGK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • freefixer.exe (PID: 128)
      • freefixer.exe (PID: 2604)

    • Loads dropped or rewritten executable

      • freefixersetup.exe (PID: 3316)

    • Loads the Task Scheduler COM API

      • freefixer.exe (PID: 128)
      • freefixer.exe (PID: 2604)

    • Loads the Task Scheduler DLL interface

      • freefixer.exe (PID: 2604)
      • freefixer.exe (PID: 128)

    • Changes settings of System certificates

      • freefixer.exe (PID: 128)

  • SUSPICIOUS

    • Creates files in the program directory

      • freefixersetup.exe (PID: 3316)

    • Creates a software uninstall entry

      • freefixersetup.exe (PID: 3316)

    • Executable content was dropped or overwritten

      • freefixersetup.exe (PID: 3316)

    • Creates files in the user directory

      • freefixersetup.exe (PID: 3316)

    • Creates files in the Windows directory

      • freefixer.exe (PID: 2604)

    • Reads internet explorer settings

      • freefixer.exe (PID: 128)

    • Adds / modifies Windows certificates

      • freefixer.exe (PID: 128)

  • INFO

    • Dropped object may contain URL's

      • freefixersetup.exe (PID: 3316)
      • freefixer.exe (PID: 128)

    • Reads settings of System Certificates

      • freefixer.exe (PID: 128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 23:50:52+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 164864
UninitializedDataSize: 1024
EntryPoint: 0x30fa
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.18.0.0
ProductVersionNumber: 1.18.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
Comments: FreeFixer is a tool for manual removal of unwanted software.
CompanyName: Kephyr
FileDescription: FreeFixer
FileVersion: 1.18
LegalCopyright: © Roger Karlsson
ProductName: FreeFixer
ProductVersion: 1.18

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Dec-2009 22:50:52
Detected languages:
  • English - United States
Comments: FreeFixer is a tool for manual removal of unwanted software.
CompanyName: Kephyr
FileDescription: FreeFixer
FileVersion: 1.18
LegalCopyright: © Roger Karlsson
ProductName: FreeFixer
ProductVersion: 1.18

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 05-Dec-2009 22:50:52
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005C4C
0x00005E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44011
.rdata
0x00007000
0x0000129C
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04684
.data
0x00009000
0x00025C58
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.801
.ndata
0x0002F000
0x00016000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00045000
0x00004EE0
0x00005000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.68974

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.21482
958
UNKNOWN
English - United States
RT_MANIFEST
2
5.9993
3752
UNKNOWN
English - United States
RT_ICON
3
6.24459
2216
UNKNOWN
English - United States
RT_ICON
4
5.01502
1384
UNKNOWN
English - United States
RT_ICON
5
6.16057
1128
UNKNOWN
English - United States
RT_ICON
6
3.34146
744
UNKNOWN
English - United States
RT_ICON
7
3.04232
296
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.6691
104
UNKNOWN
English - United States
RT_GROUP_ICON
104
2.70992
344
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start freefixersetup.exe freefixer.exe freefixer.exe no specs freefixersetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Program Files\FreeFixer\freefixer.exe" C:\Program Files\FreeFixer\freefixer.exe
freefixersetup.exe
User:
admin
Company:
Kephyr
Integrity Level:
HIGH
Description:
FreeFixer - Removes adware, spyware, trojans, etc.
Exit code:
0
Version:
1, 1, 8, 0
Modules
Images
c:\program files\freefixer\freefixer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
2604"C:\Program Files\FreeFixer\freefixer.exe" -add_sched_task -exitC:\Program Files\FreeFixer\freefixer.exefreefixersetup.exe
User:
admin
Company:
Kephyr
Integrity Level:
HIGH
Description:
FreeFixer - Removes adware, spyware, trojans, etc.
Exit code:
1
Version:
1, 1, 8, 0
Modules
Images
c:\program files\freefixer\freefixer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
3092"C:\Users\admin\AppData\Local\Temp\freefixersetup.exe" C:\Users\admin\AppData\Local\Temp\freefixersetup.exeexplorer.exe
User:
admin
Company:
Kephyr
Integrity Level:
MEDIUM
Description:
FreeFixer
Exit code:
3221226540
Version:
1.18
Modules
Images
c:\users\admin\appdata\local\temp\freefixersetup.exe
c:\systemroot\system32\ntdll.dll
3316"C:\Users\admin\AppData\Local\Temp\freefixersetup.exe" C:\Users\admin\AppData\Local\Temp\freefixersetup.exe
explorer.exe
User:
admin
Company:
Kephyr
Integrity Level:
HIGH
Description:
FreeFixer
Exit code:
0
Version:
1.18
Modules
Images
c:\users\admin\appdata\local\temp\freefixersetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
703
Read events
670
Write events
33
Delete events
0

Modification events

(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:DisplayName
Value:
FreeFixer
(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:Publisher
Value:
Kephyr
(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:DisplayVersion
Value:
1.18
(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:UninstallString
Value:
"C:\Program Files\FreeFixer\uninstall.exe"
(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:NoModify
Value:
1
(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:NoRepair
Value:
1
(PID) Process:(3316) freefixersetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3316) freefixersetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(128) freefixer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(128) freefixer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
5
Suspicious files
97
Text files
54
Unknown types
45

Dropped files

PID
Process
Filename
Type
3316freefixersetup.exeC:\Users\admin\AppData\Local\Temp\nsu6B5B.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
3316freefixersetup.exeC:\Program Files\FreeFixer\system\shellicons\dll.icoimage
MD5:5BCFA0AC0B00BD42FC67C741CBACF0D9
SHA256:F865F475D5303B5135F82742F7E956939A4D1E7126DA9EAB11F72E32BABE8AAC
3316freefixersetup.exeC:\Program Files\FreeFixer\system\shellicons\freefixer.icoimage
MD5:1C80EE37BE41250B77512DB054E8CF00
SHA256:52B545F68C24E806696BA53BE067DB19E1D4B4DA8082BA3B07D848782F8C17C1
3316freefixersetup.exeC:\Program Files\FreeFixer\system\gradient.gifimage
MD5:662B44402ED6BE9527760D781045BAFF
SHA256:3EA61940DFA74167F12B8E3120F2D74363551D579F4B6BF5EE729BCCA3A2BA57
3316freefixersetup.exeC:\Program Files\FreeFixer\tools\ffnd\enable-logging.regtext
MD5:8A67151E3D4B341B62E013175F46639F
SHA256:779041E630792E56ECFCF73683C1F793A3ABCDC0B08258E6B795E020742D7768
3316freefixersetup.exeC:\Program Files\FreeFixer\tools\ffnd\disable-logging.regtext
MD5:600705D7A71A4F444431CBE19B6643F0
SHA256:21816A95B4CF52918538732172470F0BE9F78178F9C50F5586EC5E384B5FF61B
3316freefixersetup.exeC:\Program Files\FreeFixer\definitions\readme.txttext
MD5:E70397BD8BE012EDC34DF798AA0A1BC6
SHA256:EC303CC5F60881D628E92A1EB95CF62FDD4B6BA82FFB9E96C3BD06721AF06172
3316freefixersetup.exeC:\Program Files\FreeFixer\system\donate.gifimage
MD5:4525C2AD55EAFD47EE367F1A6CCB7C1D
SHA256:74DD45EF012E1FC144C84C7E25D9074602897204C64C690AFF46B03953F2A9EA
3316freefixersetup.exeC:\Program Files\FreeFixer\tools\ffnd\enable-logging.battext
MD5:1EE06D744E51B05AE2FAFCC5154C8201
SHA256:E2AE77A8DBE038C1AE80DB3E84C628586F0FF32FE12DC833E54CF32062B66CC1
3316freefixersetup.exeC:\Program Files\FreeFixer\system\shellicons\exe.icoimage
MD5:0FAB2D4BD46DEAD46DA00774D181EF6D
SHA256:7BE4792151CAD258F27DA2C8517EA0CBF4B24B1FA2F2C168DFF44845D8A2A8BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
22
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
128
freefixer.exe
GET
104.16.92.188:80
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
US
whitelisted
128
freefixer.exe
GET
200
23.37.43.27:80
http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQJ1TBLBrQ9OnPHXPVaWb87MxkNlgQUwu79F9f%2Btw%2FGciJ7fvbA4gIz7D4CEH6T6%2Ft8xk5Z6kuad9QG%2FDs%3D
NL
der
1.30 Kb
whitelisted
128
freefixer.exe
GET
200
23.37.43.27:80
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
NL
der
1.71 Kb
whitelisted
128
freefixer.exe
GET
200
95.101.72.68:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
der
824 b
whitelisted
128
freefixer.exe
GET
200
23.37.43.27:80
http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBLwJ34PIzs5%2BUGbBujN41I%3D
NL
der
1.57 Kb
shared
128
freefixer.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
53.8 Kb
whitelisted
128
freefixer.exe
GET
200
23.37.43.27:80
http://ts-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRi82PVYYKWGJWdgVNyePy5kYTdqQQUX5r1blzMzHSa1N197z%2Fb7EyALt0CEA7P9DjI%2Fr81bgTYapgbGlA%3D
NL
der
1.43 Kb
whitelisted
128
freefixer.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAG8ovlZN%2BP4UPVGs7YNqG8%3D
US
der
471 b
whitelisted
128
freefixer.exe
GET
200
2.20.188.235:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEFKeP5%2FPfVjVINYHq3Q5UAI%3D
unknown
der
471 b
whitelisted
128
freefixer.exe
GET
200
2.20.188.235:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D
unknown
der
727 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
128
freefixer.exe
23.37.43.27:80
s2.symcb.com
Akamai Technologies, Inc.
NL
whitelisted
128
freefixer.exe
95.101.72.68:80
crl.microsoft.com
Akamai International B.V.
whitelisted
128
freefixer.exe
104.16.92.188:80
crt.comodoca.com
Cloudflare Inc
US
shared
128
freefixer.exe
104.89.34.252:80
www.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
128
freefixer.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
128
freefixer.exe
2.20.188.252:80
ocsp.usertrust.com
Akamai International B.V.
whitelisted
128
freefixer.exe
104.18.21.226:80
crl.globalsign.net
Cloudflare Inc
US
shared
128
freefixer.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
128
freefixer.exe
2.20.188.235:80
ocsp.comodoca.com
Akamai International B.V.
whitelisted
128
freefixer.exe
104.17.103.175:80
crl.usertrust.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 95.101.72.68
  • 95.101.72.17
whitelisted
s2.symcb.com
  • 23.37.43.27
whitelisted
sv.symcd.com
  • 23.37.43.27
shared
ocsp.thawte.com
  • 23.37.43.27
whitelisted
ts-ocsp.ws.symantec.com
  • 23.37.43.27
whitelisted
www.microsoft.com
  • 104.89.34.252
whitelisted
crt.comodoca.com
  • 104.16.92.188
  • 104.16.93.188
  • 104.16.91.188
  • 104.16.90.188
  • 104.16.89.188
whitelisted
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.comodoca.com
  • 2.20.188.235
  • 2.20.188.170
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
freefixersetup.exe