File name:

FRST64.exe

Full analysis: https://app.any.run/tasks/48caf48f-333a-4190-bc86-6e54442f0bcf
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 19, 2024, 22:28:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
stealer
arch-scr
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

FBB5B95D8C36176570FA6E2F413AFB66

SHA1:

37F5BA49B2E3657B987B95AECC313C9BB5C10B74

SHA256:

F5A56898ECA854E293ECF1603A2223F2195C9853899A518B5BAA0EEA7BD9FDA6

SSDEEP:

98304:K9rem5OidGil4kWOYPcVs6qSJ8KIBFVExfN3Ed+RaRvuKHYT2471ZbX2FGJiY:MY6u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • FRST64.exe (PID: 6176)

    • Actions looks like stealing of personal data

      • FRST64.exe (PID: 6176)

  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • FRST64.exe (PID: 6176)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6648)

    • Executable content was dropped or overwritten

      • FRST64.exe (PID: 6176)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7004)
      • cmd.exe (PID: 3224)
      • cmd.exe (PID: 3988)
      • cmd.exe (PID: 5252)
      • cmd.exe (PID: 4672)
      • cmd.exe (PID: 6276)
      • cmd.exe (PID: 6320)
      • cmd.exe (PID: 6452)
      • cmd.exe (PID: 7016)

    • Starts CMD.EXE for commands execution

      • FRST64.exe (PID: 6176)

    • Potential Corporate Privacy Violation

      • FRST64.exe (PID: 6176)

    • Reads security settings of Internet Explorer

      • FRST64.exe (PID: 6176)

    • Adds/modifies Windows certificates

      • FRST64.exe (PID: 6176)

    • Checks Windows Trust Settings

      • FRST64.exe (PID: 6176)

  • INFO

    • Reads mouse settings

      • FRST64.exe (PID: 6176)

    • The sample compiled with english language support

      • FRST64.exe (PID: 6176)

    • Checks supported languages

      • FRST64.exe (PID: 6176)

    • Reads the computer name

      • FRST64.exe (PID: 6176)

    • The process uses AutoIt

      • FRST64.exe (PID: 6176)

    • Creates files or folders in the user directory

      • FRST64.exe (PID: 6176)

    • Checks proxy server information

      • FRST64.exe (PID: 6176)

    • Reads the software policy settings

      • FRST64.exe (PID: 6176)

    • Create files in a temporary directory

      • FRST64.exe (PID: 6176)

    • The process uses the downloaded file

      • FRST64.exe (PID: 6176)

    • Reads the machine GUID from the registry

      • FRST64.exe (PID: 6176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:12:19 12:53:21+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.16
CodeSize: 734208
InitializedDataSize: 1668608
UninitializedDataSize: -
EntryPoint: 0x2549c
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 19.12.2024.1
ProductVersionNumber: 19.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
FileVersion: 19.12.2024.1
Comments: http://www.autoitscript.com/autoit3/
FileDescription: Farbar Recovery Scan Tool
ProductName: FRST64
ProductVersion: 19-12-2024 01
CompanyName: Farbar
LegalCopyright: ©Farbar
OriginalFileName: FRST64.exe
InternalName: FRST64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
35
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start frst64.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs vssvc.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs frst64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1412\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3224C:\WINDOWS\system32\cmd.exe /c reg load hklm\n8Ax3Oj2Kr7 C:\FRST\l6Qi4Hc2Xg\SYSTEMC:\Windows\System32\cmd.exeFRST64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3732"C:\Users\admin\AppData\Local\Temp\FRST64.exe" C:\Users\admin\AppData\Local\Temp\FRST64.exeexplorer.exe
User:
admin
Company:
Farbar
Integrity Level:
MEDIUM
Description:
Farbar Recovery Scan Tool
Exit code:
3221226540
Version:
19.12.2024.1
Modules
Images
c:\users\admin\appdata\local\temp\frst64.exe
c:\windows\system32\ntdll.dll
3820reg load hklm\n8Ax3Oj2Kr7 C:\FRST\l6Qi4Hc2Xg\SAMC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3988C:\WINDOWS\system32\cmd.exe /c reg load hklm\n8Ax3Oj2Kr7 C:\FRST\l6Qi4Hc2Xg\SAMC:\Windows\System32\cmd.exeFRST64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4244reg load hklm\n8Ax3Oj2Kr7 C:\FRST\l6Qi4Hc2Xg\SYSTEMC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4672C:\WINDOWS\system32\cmd.exe /c reg load hklm\n8Ax3Oj2Kr7 C:\FRST\l6Qi4Hc2Xg\SECURITYC:\Windows\System32\cmd.exeFRST64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5252C:\WINDOWS\system32\cmd.exe /c reg load hklm\n8Ax3Oj2Kr7 C:\FRST\l6Qi4Hc2Xg\DEFAULTC:\Windows\System32\cmd.exeFRST64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5256\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5556reg load hklm\n8Ax3Oj2Kr7 C:\FRST\l6Qi4Hc2Xg\NTUSER.DATC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
22 816
Read events
22 538
Write events
262
Delete events
16

Modification events

(PID) Process:(6556) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(6556) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(6556) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(6556) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:(6556) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(6556) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(6556) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(6556) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Boot\Loader.efi
(PID) Process:(6556) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Description
Operation:delete keyName:(default)
Value:
(PID) Process:(6556) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\24000001
Operation:delete keyName:(default)
Value:
Executable files
1
Suspicious files
43
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
6176FRST64.exeC:\FRST\l6Qi4Hc2Xg\SOFTWARE
MD5:
SHA256:
6176FRST64.exeC:\FRST\l6Qi4Hc2Xg\SOFTWARE.LOG1
MD5:
SHA256:
6176FRST64.exeC:\FRST\l6Qi4Hc2Xg\SOFTWARE.LOG2
MD5:
SHA256:
6176FRST64.exeC:\FRST\Hives\SOFTWARE
MD5:
SHA256:
6176FRST64.exeC:\FRST\l6Qi4Hc2Xg\SYSTEM
MD5:
SHA256:
6176FRST64.exeC:\FRST\Hives\SYSTEM
MD5:
SHA256:
6176FRST64.exeC:\Users\admin\AppData\Local\Temp\aut7D80.tmpbinary
MD5:C65D2BFEE6F33857980F95BBF647D5C0
SHA256:90403EFC1FAC06E52D94B11473837C9C09D4F17F6892EA265B4A2E2968CCA49D
6176FRST64.exeC:\FRST\l6Qi4Hc2Xg\COMPONENTS
MD5:
SHA256:
6176FRST64.exeC:\FRST\l6Qi4Hc2Xg\COMPONENTS.LOG1
MD5:
SHA256:
6176FRST64.exeC:\FRST\l6Qi4Hc2Xg\COMPONENTS.LOG2
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
36
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6176
FRST64.exe
GET
301
172.67.2.229:80
http://download.bleepingcomputer.com/farbar/up64
unknown
whitelisted
6176
FRST64.exe
GET
200
142.250.185.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6176
FRST64.exe
GET
200
142.250.185.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
6720
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6880
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6720
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5732
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5732
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.144
  • 104.126.37.155
  • 104.126.37.176
  • 104.126.37.154
  • 104.126.37.163
  • 104.126.37.139
  • 104.126.37.131
  • 104.126.37.145
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.134
  • 20.190.160.20
  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.138
  • 20.190.160.22
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
download.bleepingcomputer.com
  • 172.67.2.229
  • 104.20.185.56
  • 104.20.184.56
whitelisted
c.pki.goog
  • 142.250.185.99
whitelisted

Threats

PID
Process
Class
Message
6176
FRST64.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FRST64.exe