download:

freefixersetup.exe

Full analysis: https://app.any.run/tasks/d1e79a66-0567-434f-8b64-de45ad2d3426
Verdict: Malicious activity
Analysis date: September 04, 2018, 11:17:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

4B0BE16956BB11C2A076901366367CD9

SHA1:

6B89B7773354E64A6B04F46DB6EB0C3E6234A0EE

SHA256:

E6E592282C822779015484094E2557A5E9987FFEBF9E465EA4B8BCECAA53920C

SSDEEP:

49152:2i0+tWJOUToh0ZOup2KsR/ZxiAe1mKxxMBvTZ+IlbfGElNdCAjiIG8xL:APjORR/fP0PxMFtGElaUNGK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • freefixer.exe (PID: 2604)
      • freefixer.exe (PID: 128)

    • Loads the Task Scheduler COM API

      • freefixer.exe (PID: 2604)
      • freefixer.exe (PID: 128)

    • Loads dropped or rewritten executable

      • freefixersetup.exe (PID: 3316)

    • Loads the Task Scheduler DLL interface

      • freefixer.exe (PID: 2604)
      • freefixer.exe (PID: 128)

    • Changes settings of System certificates

      • freefixer.exe (PID: 128)

  • SUSPICIOUS

    • Creates files in the program directory

      • freefixersetup.exe (PID: 3316)

    • Creates a software uninstall entry

      • freefixersetup.exe (PID: 3316)

    • Executable content was dropped or overwritten

      • freefixersetup.exe (PID: 3316)

    • Creates files in the Windows directory

      • freefixer.exe (PID: 2604)

    • Creates files in the user directory

      • freefixersetup.exe (PID: 3316)

    • Reads internet explorer settings

      • freefixer.exe (PID: 128)

    • Adds / modifies Windows certificates

      • freefixer.exe (PID: 128)

  • INFO

    • Dropped object may contain URL's

      • freefixersetup.exe (PID: 3316)
      • freefixer.exe (PID: 128)

    • Reads settings of System Certificates

      • freefixer.exe (PID: 128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 23:50:52+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 164864
UninitializedDataSize: 1024
EntryPoint: 0x30fa
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.18.0.0
ProductVersionNumber: 1.18.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
Comments: FreeFixer is a tool for manual removal of unwanted software.
CompanyName: Kephyr
FileDescription: FreeFixer
FileVersion: 1.18
LegalCopyright: © Roger Karlsson
ProductName: FreeFixer
ProductVersion: 1.18

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Dec-2009 22:50:52
Detected languages:
  • English - United States
Comments: FreeFixer is a tool for manual removal of unwanted software.
CompanyName: Kephyr
FileDescription: FreeFixer
FileVersion: 1.18
LegalCopyright: © Roger Karlsson
ProductName: FreeFixer
ProductVersion: 1.18

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 05-Dec-2009 22:50:52
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005C4C
0x00005E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44011
.rdata
0x00007000
0x0000129C
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04684
.data
0x00009000
0x00025C58
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.801
.ndata
0x0002F000
0x00016000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00045000
0x00004EE0
0x00005000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.68974

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.21482
958
UNKNOWN
English - United States
RT_MANIFEST
2
5.9993
3752
UNKNOWN
English - United States
RT_ICON
3
6.24459
2216
UNKNOWN
English - United States
RT_ICON
4
5.01502
1384
UNKNOWN
English - United States
RT_ICON
5
6.16057
1128
UNKNOWN
English - United States
RT_ICON
6
3.34146
744
UNKNOWN
English - United States
RT_ICON
7
3.04232
296
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.6691
104
UNKNOWN
English - United States
RT_GROUP_ICON
104
2.70992
344
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start freefixersetup.exe freefixer.exe freefixer.exe no specs freefixersetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Program Files\FreeFixer\freefixer.exe" C:\Program Files\FreeFixer\freefixer.exe
freefixersetup.exe
User:
admin
Company:
Kephyr
Integrity Level:
HIGH
Description:
FreeFixer - Removes adware, spyware, trojans, etc.
Exit code:
0
Version:
1, 1, 8, 0
Modules
Images
c:\program files\freefixer\freefixer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
2604"C:\Program Files\FreeFixer\freefixer.exe" -add_sched_task -exitC:\Program Files\FreeFixer\freefixer.exefreefixersetup.exe
User:
admin
Company:
Kephyr
Integrity Level:
HIGH
Description:
FreeFixer - Removes adware, spyware, trojans, etc.
Exit code:
1
Version:
1, 1, 8, 0
Modules
Images
c:\program files\freefixer\freefixer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
3092"C:\Users\admin\AppData\Local\Temp\freefixersetup.exe" C:\Users\admin\AppData\Local\Temp\freefixersetup.exeexplorer.exe
User:
admin
Company:
Kephyr
Integrity Level:
MEDIUM
Description:
FreeFixer
Exit code:
3221226540
Version:
1.18
Modules
Images
c:\users\admin\appdata\local\temp\freefixersetup.exe
c:\systemroot\system32\ntdll.dll
3316"C:\Users\admin\AppData\Local\Temp\freefixersetup.exe" C:\Users\admin\AppData\Local\Temp\freefixersetup.exe
explorer.exe
User:
admin
Company:
Kephyr
Integrity Level:
HIGH
Description:
FreeFixer
Exit code:
0
Version:
1.18
Modules
Images
c:\users\admin\appdata\local\temp\freefixersetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
703
Read events
670
Write events
33
Delete events
0

Modification events

(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:DisplayName
Value:
FreeFixer
(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:Publisher
Value:
Kephyr
(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:DisplayVersion
Value:
1.18
(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:UninstallString
Value:
"C:\Program Files\FreeFixer\uninstall.exe"
(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:NoModify
Value:
1
(PID) Process:(3316) freefixersetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.18
Operation:writeName:NoRepair
Value:
1
(PID) Process:(3316) freefixersetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3316) freefixersetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(128) freefixer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(128) freefixer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
5
Suspicious files
97
Text files
54
Unknown types
45

Dropped files

PID
Process
Filename
Type
3316freefixersetup.exeC:\Users\admin\AppData\Local\Temp\nsu6B5B.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
3316freefixersetup.exeC:\Program Files\FreeFixer\system\shellicons\bat.icoimage
MD5:3149C9BB7DF81F0250CDACA666220FDF
SHA256:B8C3F7025B93D03751CFE8B4178D8E86D59B0D86652166F064C0AFB2B1B2E687
3316freefixersetup.exeC:\Program Files\FreeFixer\system\shellicons\freefixer.icoimage
MD5:1C80EE37BE41250B77512DB054E8CF00
SHA256:52B545F68C24E806696BA53BE067DB19E1D4B4DA8082BA3B07D848782F8C17C1
3316freefixersetup.exeC:\Program Files\FreeFixer\system\shellicons\msdos.icoimage
MD5:9AF91E99AFAB578211B71CBAD9FE5A13
SHA256:F34B66FE3A70C92F0FDDD13D14544F60652F197D13BF6865CCE99AF94F131C69
3316freefixersetup.exeC:\Program Files\FreeFixer\system\shellicons\exe.icoimage
MD5:0FAB2D4BD46DEAD46DA00774D181EF6D
SHA256:7BE4792151CAD258F27DA2C8517EA0CBF4B24B1FA2F2C168DFF44845D8A2A8BD
3316freefixersetup.exeC:\Users\admin\AppData\Local\Temp\nsu6B5B.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
3316freefixersetup.exeC:\Program Files\FreeFixer\tools\ffnd\enable-logging.battext
MD5:1EE06D744E51B05AE2FAFCC5154C8201
SHA256:E2AE77A8DBE038C1AE80DB3E84C628586F0FF32FE12DC833E54CF32062B66CC1
3316freefixersetup.exeC:\Program Files\FreeFixer\tools\ffnd\readme.txttext
MD5:E6F0824C92C36F908992FA703BBF6FFD
SHA256:DF3611349E21F40FF29D63BD526B1677DA1B35162C2BE8FF80F1B2880F8C13E0
3316freefixersetup.exeC:\Program Files\FreeFixer\tools\ffnd\disable-logging.battext
MD5:378E658C71A3FEB21575E344DA0B4CCD
SHA256:6CC98D1B60531C9D89EFED61011B56D1DCF1D29B95852E4DE6BD935288CD724E
3316freefixersetup.exeC:\Program Files\FreeFixer\system\shellicons\new.pngimage
MD5:C7F6B9FC58A419B2B42C3B48B3A95098
SHA256:17D575995A318CF36A4E136D0CB9B20E66216F8B68417054DEEA6585ECC2A969
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
22
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
128
freefixer.exe
GET
104.16.92.188:80
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
US
whitelisted
128
freefixer.exe
GET
200
95.101.72.68:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
der
781 b
whitelisted
128
freefixer.exe
GET
200
23.37.43.27:80
http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQJ1TBLBrQ9OnPHXPVaWb87MxkNlgQUwu79F9f%2Btw%2FGciJ7fvbA4gIz7D4CEH6T6%2Ft8xk5Z6kuad9QG%2FDs%3D
NL
der
1.30 Kb
whitelisted
128
freefixer.exe
GET
200
23.37.43.27:80
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
NL
der
1.71 Kb
whitelisted
128
freefixer.exe
GET
200
23.37.43.27:80
http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBLwJ34PIzs5%2BUGbBujN41I%3D
NL
der
1.57 Kb
shared
128
freefixer.exe
GET
200
23.37.43.27:80
http://ts-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRi82PVYYKWGJWdgVNyePy5kYTdqQQUX5r1blzMzHSa1N197z%2Fb7EyALt0CEA7P9DjI%2Fr81bgTYapgbGlA%3D
NL
der
1.43 Kb
whitelisted
128
freefixer.exe
GET
200
95.101.72.68:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
der
1.11 Kb
whitelisted
128
freefixer.exe
GET
200
95.101.72.68:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
der
555 b
whitelisted
128
freefixer.exe
GET
200
95.101.72.68:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
der
824 b
whitelisted
128
freefixer.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
53.8 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
128
freefixer.exe
95.101.72.68:80
crl.microsoft.com
Akamai International B.V.
whitelisted
128
freefixer.exe
23.37.43.27:80
s2.symcb.com
Akamai Technologies, Inc.
NL
whitelisted
128
freefixer.exe
104.89.34.252:80
www.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
128
freefixer.exe
104.16.92.188:80
crt.comodoca.com
Cloudflare Inc
US
shared
128
freefixer.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
128
freefixer.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
128
freefixer.exe
2.20.188.235:80
ocsp.comodoca.com
Akamai International B.V.
whitelisted
128
freefixer.exe
2.20.188.252:80
ocsp.usertrust.com
Akamai International B.V.
whitelisted
128
freefixer.exe
104.18.21.226:80
crl.globalsign.net
Cloudflare Inc
US
shared
128
freefixer.exe
151.101.2.133:80
crl.globalsign.com
Fastly
US
malicious

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 95.101.72.68
  • 95.101.72.17
whitelisted
s2.symcb.com
  • 23.37.43.27
whitelisted
sv.symcd.com
  • 23.37.43.27
shared
ocsp.thawte.com
  • 23.37.43.27
whitelisted
ts-ocsp.ws.symantec.com
  • 23.37.43.27
whitelisted
www.microsoft.com
  • 104.89.34.252
whitelisted
crt.comodoca.com
  • 104.16.92.188
  • 104.16.93.188
  • 104.16.91.188
  • 104.16.90.188
  • 104.16.89.188
whitelisted
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.comodoca.com
  • 2.20.188.235
  • 2.20.188.170
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
freefixersetup.exe