home

firefxs.exe

Install

Shan Feng

The application firefxs.exe by Shan Feng has been detected as a potentially unwanted program by 14 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘LhwQX6JZMniQ5N30’.
Publisher:
Develop Ltd.  (signed by Shan Feng)

Product:
Install

Version:
4,2,4,7

MD5:
f28f3804e942556ab3125278410a11f0

SHA-1:
c9cf47f638a52c23e1ae981b2f555203694a55a3

SHA-256:
b5a121f40de481d47f64a24631330104ea6cfbcb8b8af414fd1fc882b9bda1d5

Scanner detections:
14 / 68

Status:
Potentially unwanted

Analysis date:
11/16/2024 3:45:09 AM UTC  (today)

Scan engine
Detection
Engine version

AegisLab AV Signature
Virus.C7D.Gen!c
2.1.4+

Avira AntiVirus
ADWARE/Mutabaha.mexq
8.3.3.4

avast!
Win32:Adware-gen [Adw]
2014.9-160517

AVG
Generic
2017.0.2741

Dr.Web
Adware.Mutabaha.1252
9.0.1.0138

Fortinet FortiGate
W32/Crypmod.XRL!tr
5/17/2016

IKARUS anti.virus
Trojan-Ransom.Win32.Crypmod
t3scan.2.0.9.0

Malwarebytes
Ransom.FileCryptor
v2016.05.17.04

McAfee
Artemis!F28F3804E942
5600.6397

NANO AntiVirus
Riskware.Win32.Mutabaha.ecjxnh
1.0.30.8213

Qihoo 360 Security
HEUR/QVM20.1.Malware.Gen
1.0.0.1120

Rising Antivirus
Malware.Undefined!8.C-woD3sIUMUeT (Cloud)
23.00.65.16515

Sophos
Generic PUA MJ (PUA)
4.98

Trend Micro House Call
Ransom_CRYPRAAS.SMA1
7.2.138

File size:
351.3 KB (359,704 bytes)

Product version:
2,7,3,1

Copyright:
(C) Develop Ltd.

Trademarks:
(C) Develop Ltd.

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
German (Germany)

Common path:
C:\users\{user}\appdata\roaming\firefxs.exe

Digital Signature
Signed by:
Shan Feng

Authority:
thawte, Inc.

Valid from:
2/4/2016 5:30:00 AM

Valid to:
2/4/2017 5:29:59 AM

Subject:
CN=Shan Feng, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
35000007A9C98043CA459BAC1DA3B29C

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
6144:xIPeBKaDOGJ+FuDOOaGHq9ExbheMN6qCB+Del7aspFqPXSBLSHBd6xhT9aPpB:qekaDOGJazp9oFNZbeR36aBsBd6xhT9k

Entry address:
0x13B3

Entry point:
55, 89, E5, 83, EC, 08, C7, 05, F8, 7A, 45, 00, 01, 00, 00, 00, E8, 84, 77, 04, 00, C9, E9, 66, FD, FF, FF, 55, 89, E5, 83, EC, 08, C7, 05, F8, 7A, 45, 00, 00, 00, 00, 00, E8, 69, 77, 04, 00, C9, E9, 4B, FD, FF, FF, 90, 90, 90, 66, 90, 66, 90, 55, 89, E5, 83, EC, 18, A1, 68, D9, 44, 00, 85, C0, 74, 3C, C7, 04, 24, 00, E0, 44, 00, FF, 15, 00, 83, 45, 00, 83, EC, 04, 85, C0, BA, 00, 00, 00, 00, 74, 16, C7, 44, 24, 04, 0E, E0, 44, 00, 89, 04, 24, FF, 15, 04, 83, 45, 00, 83, EC, 08, 89, C2, 85, D2, 74, 09, C7...
 
[+]

Entropy:
7.8661  (probably packed)

Code size:
294 KB (301,056 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
LhwQX6JZMniQ5N30

Command:
"C:\users\{user}\appdata\roaming\firefxs.exe" \skipreg


Remove firefxs.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.