File name:

FRSTEnglish.exe

Full analysis: https://app.any.run/tasks/08d5c13a-edb8-41fd-86cd-87f5d0257377
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 22, 2024, 12:20:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
loader
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

FED0E4A53768F2E769A9F1C1512BB0C8

SHA1:

D1417D4343CE0290DC9D2DC09447E939C880EB74

SHA256:

B775A76514FCCE084181C7B18CAE4476575BD36EA7139AA1881F8702F3D9F376

SSDEEP:

98304:J9rem5Oidc7Xn/8MVtyOundD0T6qD2DDW2V+RaRvuKHYT2471ZbX2FGJiY:XT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • FRSTEnglish.exe (PID: 6960)

    • Starts CMD.EXE for commands execution

      • FRSTEnglish.exe (PID: 6960)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6408)

    • Detected use of alternative data streams (AltDS)

      • FRSTEnglish.exe (PID: 6960)
      • FRSTEnglish.exe (PID: 6804)

    • Executable content was dropped or overwritten

      • FRSTEnglish.exe (PID: 6960)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6820)
      • cmd.exe (PID: 6912)
      • cmd.exe (PID: 6224)
      • cmd.exe (PID: 6000)
      • cmd.exe (PID: 1656)
      • cmd.exe (PID: 6624)
      • cmd.exe (PID: 6648)
      • cmd.exe (PID: 6320)

    • Reads security settings of Internet Explorer

      • FRSTEnglish.exe (PID: 6960)
      • FRSTEnglish.exe (PID: 6804)

    • Checks Windows Trust Settings

      • FRSTEnglish.exe (PID: 6960)
      • FRSTEnglish.exe (PID: 6804)

    • Potential Corporate Privacy Violation

      • FRSTEnglish.exe (PID: 6960)
      • FRSTEnglish.exe (PID: 6804)

    • Reads the date of Windows installation

      • FRSTEnglish.exe (PID: 6960)

  • INFO

    • Reads mouse settings

      • FRSTEnglish.exe (PID: 6960)
      • FRSTEnglish.exe (PID: 6804)

    • Create files in a temporary directory

      • FRSTEnglish.exe (PID: 6960)

    • Checks supported languages

      • FRSTEnglish.exe (PID: 6960)
      • FRSTEnglish.exe (PID: 6804)

    • Reads the computer name

      • FRSTEnglish.exe (PID: 6960)
      • FRSTEnglish.exe (PID: 6804)

    • Checks proxy server information

      • FRSTEnglish.exe (PID: 6960)
      • FRSTEnglish.exe (PID: 6804)

    • Creates files or folders in the user directory

      • FRSTEnglish.exe (PID: 6960)
      • FRSTEnglish.exe (PID: 6804)

    • Reads the software policy settings

      • FRSTEnglish.exe (PID: 6960)
      • FRSTEnglish.exe (PID: 6804)

    • Reads the machine GUID from the registry

      • FRSTEnglish.exe (PID: 6960)
      • FRSTEnglish.exe (PID: 6804)

    • Process checks computer location settings

      • FRSTEnglish.exe (PID: 6960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:12 15:56:33+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.16
CodeSize: 734208
InitializedDataSize: 1661952
UninitializedDataSize: -
EntryPoint: 0x2549c
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 12.8.2024.0
ProductVersionNumber: 12.2024.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
FileVersion: 12.8.2024.0
Comments: http://www.autoitscript.com/autoit3/
FileDescription: Farbar Recovery Scan Tool
ProductName: FRST64
ProductVersion: 12-08.2024
CompanyName: Farbar
LegalCopyright: ©Farbar
OriginalFileName: FRST64.exe
InternalName: FRST64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
33
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start frstenglish.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs vssvc.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs frstenglish.exe frstenglish.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1656C:\WINDOWS\system32\cmd.exe /c reg load hklm\i9Ee5Py6O C:\FRST\l2Zx5Vq7Aq9\SECURITYC:\Windows\System32\cmd.exeFRSTEnglish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1688\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1812reg load hklm\i9Ee5Py6O C:\FRST\l2Zx5Vq7Aq9\SECURITYC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2252reg load hklm\i9Ee5Py6O C:\FRST\l2Zx5Vq7Aq9\SYSTEMC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2648C:\WINDOWS\system32\cmd.exe /u /c echo 2C:\Windows\System32\cmd.exeFRSTEnglish.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3164reg load hklm\i9Ee5Py6O C:\FRST\l2Zx5Vq7Aq9\SAMC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4592\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5092reg load hklm\i9Ee5Py6O C:\FRST\l2Zx5Vq7Aq9\UsrClass.datC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5476reg load hklm\i9Ee5Py6O C:\FRST\l2Zx5Vq7Aq9\NTUSER.DATC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
13 192
Read events
12 921
Write events
259
Delete events
12

Modification events

(PID) Process:(6324) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(6324) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Description
Operation:writeName:FirmwareModified
Value:
1
(PID) Process:(6324) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(6324) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(6324) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:(6324) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(6324) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(6324) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(6324) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Boot\Loader.efi
(PID) Process:(6324) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Description
Operation:delete keyName:(default)
Value:
Executable files
5
Suspicious files
31
Text files
26
Unknown types
1

Dropped files

PID
Process
Filename
Type
6960FRSTEnglish.exeC:\FRST\l2Zx5Vq7Aq9\SOFTWARE
MD5:
SHA256:
6960FRSTEnglish.exeC:\FRST\l2Zx5Vq7Aq9\SOFTWARE.LOG1
MD5:
SHA256:
6960FRSTEnglish.exeC:\FRST\l2Zx5Vq7Aq9\SOFTWARE.LOG2
MD5:
SHA256:
6960FRSTEnglish.exeC:\FRST\Hives\SOFTWARE
MD5:
SHA256:
6960FRSTEnglish.exeC:\FRST\l2Zx5Vq7Aq9\SYSTEM
MD5:
SHA256:
6960FRSTEnglish.exeC:\FRST\Hives\SYSTEM
MD5:
SHA256:
6960FRSTEnglish.exeC:\Users\admin\AppData\Local\Temp\autF6A2.tmpbinary
MD5:C65D2BFEE6F33857980F95BBF647D5C0
SHA256:90403EFC1FAC06E52D94B11473837C9C09D4F17F6892EA265B4A2E2968CCA49D
6960FRSTEnglish.exeC:\FRST\l2Zx5Vq7Aq9\COMPONENTS
MD5:
SHA256:
6960FRSTEnglish.exeC:\FRST\l2Zx5Vq7Aq9\COMPONENTS.LOG1
MD5:
SHA256:
6960FRSTEnglish.exeC:\FRST\l2Zx5Vq7Aq9\COMPONENTS.LOG2
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
5
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6960
FRSTEnglish.exe
GET
301
104.20.185.56:80
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
unknown
whitelisted
6960
FRSTEnglish.exe
GET
301
104.20.185.56:80
http://download.bleepingcomputer.com/farbar/up64
unknown
whitelisted
6804
FRSTEnglish.exe
GET
301
104.20.185.56:80
http://download.bleepingcomputer.com/farbar/up64
unknown
whitelisted
GET
200
172.67.2.229:443
https://download.bleepingcomputer.com/dl/75d71856c7208c2c9576b9fee6ae1f77/66c72d1f/windows/security/security-utilities/f/farbar-recovery-scan-tool/FRST64.exe
unknown
executable
2.29 Mb
GET
200
104.20.184.56:443
https://download.bleepingcomputer.com/farbar/up64
unknown
text
11 b
GET
200
172.67.2.229:443
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
unknown
html
64.9 Kb
GET
200
104.20.185.56:443
https://download.bleepingcomputer.com/farbar/up64
unknown
text
11 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3412
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1344
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3412
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3412
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6960
FRSTEnglish.exe
104.20.185.56:80
download.bleepingcomputer.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
download.bleepingcomputer.com
  • 104.20.185.56
  • 172.67.2.229
  • 104.20.184.56
whitelisted
www.bleepingcomputer.com
  • 104.20.185.56
  • 104.20.184.56
  • 172.67.2.229
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
FRSTEnglish.exe