File name:

Flaron.exe

Full analysis: https://app.any.run/tasks/a8d37ce7-fcb9-44c4-beb0-dcd97d4f627d
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: June 29, 2025, 22:40:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
uac
evasion
blankgrabber
stealer
screenshot
discord
pyinstaller
susp-powershell
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

88C2DBCC56F1B4C2D05758D318F24788

SHA1:

1B1C4D345D6F2BCC88B778AC62ED5C4BF99030BC

SHA256:

5EA3663B5087E8D3804A001A5D3967D40BADC4FCFDF555D7F0DE311F263E23F7

SSDEEP:

98304:rC3CpWMIombrO47fz9hluqG9yeFyOnace7EewAuOnjwkGpABhSRlEuq1RPeOHWZz:wrNE/gRRyT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BlankGrabber has been detected

      • Flaron.exe (PID: 6656)
      • Flaron.exe (PID: 2780)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 2180)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 4264)

    • Adds path to the Windows Defender exclusion list

      • Flaron.exe (PID: 1324)
      • cmd.exe (PID: 2220)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7132)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7132)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7132)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7132)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7132)

    • Changes Windows Defender settings

      • cmd.exe (PID: 4264)
      • cmd.exe (PID: 2220)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7132)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7132)

    • Actions looks like stealing of personal data

      • Flaron.exe (PID: 1324)

    • Steals credentials from Web Browsers

      • Flaron.exe (PID: 1324)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7244)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 3392)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3476)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 8168)

    • Starts CMD.EXE for self-deleting

      • Flaron.exe (PID: 1324)

    • BLANKGRABBER has been detected (SURICATA)

      • Flaron.exe (PID: 1324)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Flaron.exe (PID: 6656)
      • Flaron.exe (PID: 2780)
      • csc.exe (PID: 7172)

    • Process drops legitimate windows executable

      • Flaron.exe (PID: 6656)
      • Flaron.exe (PID: 2780)

    • Starts a Microsoft application from unusual location

      • Flaron.exe (PID: 6656)
      • Flaron.exe (PID: 1660)
      • Flaron.exe (PID: 2780)
      • Flaron.exe (PID: 1324)

    • Process drops python dynamic module

      • Flaron.exe (PID: 6656)
      • Flaron.exe (PID: 2780)

    • Application launched itself

      • Flaron.exe (PID: 6656)
      • Flaron.exe (PID: 2780)

    • The process drops C-runtime libraries

      • Flaron.exe (PID: 6656)
      • Flaron.exe (PID: 2780)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7092)
      • cmd.exe (PID: 592)
      • cmd.exe (PID: 320)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 2212)
      • cmd.exe (PID: 728)

    • Found strings related to reading or modifying Windows Defender settings

      • Flaron.exe (PID: 1324)
      • Flaron.exe (PID: 1660)

    • Get information on the list of running processes

      • Flaron.exe (PID: 1324)
      • cmd.exe (PID: 3572)
      • cmd.exe (PID: 5780)
      • cmd.exe (PID: 7020)
      • cmd.exe (PID: 5244)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4264)
      • cmd.exe (PID: 2220)
      • cmd.exe (PID: 3476)
      • cmd.exe (PID: 6200)
      • cmd.exe (PID: 7888)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 6748)
      • cmd.exe (PID: 7864)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 4264)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 4264)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 2220)

    • Executes JavaScript directly as a command

      • cmd.exe (PID: 7044)

    • Starts CMD.EXE for commands execution

      • Flaron.exe (PID: 1324)
      • Flaron.exe (PID: 1660)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3860)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 2212)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 3048)
      • cmd.exe (PID: 2356)
      • cmd.exe (PID: 7876)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 6368)
      • WMIC.exe (PID: 6128)
      • WMIC.exe (PID: 6200)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2192)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • Flaron.exe (PID: 1324)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 4868)
      • WMIC.exe (PID: 7632)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1948)
      • cmd.exe (PID: 7436)
      • cmd.exe (PID: 7756)
      • cmd.exe (PID: 7580)
      • cmd.exe (PID: 7860)
      • cmd.exe (PID: 8060)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 3476)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 3476)

    • Changes default file association

      • reg.exe (PID: 3392)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 3388)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3476)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 728)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 6164)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7172)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 7244)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 6676)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 2708)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 5244)

    • Hides command output

      • cmd.exe (PID: 3880)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3880)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7348)

  • INFO

    • The sample compiled with english language support

      • Flaron.exe (PID: 6656)
      • Flaron.exe (PID: 2780)

    • Reads the computer name

      • Flaron.exe (PID: 6656)
      • Flaron.exe (PID: 2780)
      • Flaron.exe (PID: 1324)
      • MpCmdRun.exe (PID: 8168)

    • Checks supported languages

      • Flaron.exe (PID: 6656)
      • Flaron.exe (PID: 1660)
      • Flaron.exe (PID: 2780)
      • Flaron.exe (PID: 1324)
      • tree.com (PID: 7172)
      • tree.com (PID: 7552)
      • tree.com (PID: 7660)
      • tree.com (PID: 7816)
      • tree.com (PID: 7984)
      • tree.com (PID: 8120)
      • MpCmdRun.exe (PID: 8168)
      • cvtres.exe (PID: 2032)
      • csc.exe (PID: 7172)
      • rar.exe (PID: 2708)

    • Create files in a temporary directory

      • Flaron.exe (PID: 6656)
      • Flaron.exe (PID: 1660)
      • Flaron.exe (PID: 2780)
      • Flaron.exe (PID: 1324)
      • MpCmdRun.exe (PID: 8168)
      • cvtres.exe (PID: 2032)
      • csc.exe (PID: 7172)
      • rar.exe (PID: 2708)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 2180)
      • WMIC.exe (PID: 4868)
      • WMIC.exe (PID: 6368)
      • WMIC.exe (PID: 6128)
      • WMIC.exe (PID: 6164)
      • WMIC.exe (PID: 5244)
      • WMIC.exe (PID: 7776)
      • WMIC.exe (PID: 6200)
      • WMIC.exe (PID: 7632)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1212)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 6876)

    • Checks the directory tree

      • tree.com (PID: 7172)
      • tree.com (PID: 7552)
      • tree.com (PID: 7816)
      • tree.com (PID: 7660)
      • tree.com (PID: 7984)
      • tree.com (PID: 8120)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4192)
      • powershell.exe (PID: 7132)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7132)
      • powershell.exe (PID: 4192)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 7520)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 7172)
      • rar.exe (PID: 2708)

    • PyInstaller has been detected (YARA)

      • Flaron.exe (PID: 2780)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 7616)

    • Checks proxy server information

      • slui.exe (PID: 6016)

    • Reads the software policy settings

      • slui.exe (PID: 6016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:28 09:38:22+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 96768
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.5794
ProductVersionNumber: 10.0.19041.5794
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: UserAccountControlSettings
FileVersion: 10.0.19041.5794 (WinBuild.160101.0800)
InternalName: UserAccountControlSettings
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: UserAccountControlSettings.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.5794
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
270
Monitored processes
138
Malicious processes
10
Suspicious processes
5

Behavior graph

Click at the process to see the details
start #BLANKGRABBER flaron.exe flaron.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER flaron.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs #BLANKGRABBER flaron.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs mshta.exe no specs tasklist.exe no specs powershell.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs powershell.exe no specs tasklist.exe no specs netsh.exe no specs tree.com no specs reg.exe no specs powershell.exe no specs systeminfo.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs mpcmdrun.exe no specs csc.exe cvtres.exe no specs tiworker.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
320C:\WINDOWS\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f"C:\Windows\System32\cmd.exeFlaron.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
592C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"C:\Windows\System32\cmd.exeFlaron.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
592attrib +h +s "C:\Users\admin\Desktop\Flaron.exe"C:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
728C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exeFlaron.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
728C:\WINDOWS\system32\cmd.exe /c "systeminfo"C:\Windows\System32\cmd.exeFlaron.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1036tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1180C:\WINDOWS\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"C:\Windows\System32\cmd.exeFlaron.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1180C:\WINDOWS\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"C:\Windows\System32\cmd.exeFlaron.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1212mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('d3dx9.dll not found.Press OK to install.', 0, 'Error {0x0000008}', 0+16);close()"C:\Windows\System32\mshta.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
Total events
58 564
Read events
58 553
Write events
7
Delete events
4

Modification events

(PID) Process:(3392) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(2180) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2180) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2180) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7000) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete keyName:(default)
Value:
(PID) Process:(7000) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:delete keyName:(default)
Value:
(PID) Process:(7000) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell
Operation:delete keyName:(default)
Value:
(PID) Process:(7000) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings
Operation:delete keyName:(default)
Value:
(PID) Process:(1324) Flaron.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
(PID) Process:(5928) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31189318
Executable files
37
Suspicious files
16
Text files
49
Unknown types
0

Dropped files

PID
Process
Filename
Type
6656Flaron.exeC:\Users\admin\AppData\Local\Temp\_MEI66562\VCRUNTIME140.dllexecutable
MD5:870FEA4E961E2FBD00110D3783E529BE
SHA256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
6656Flaron.exeC:\Users\admin\AppData\Local\Temp\_MEI66562\_lzma.pydexecutable
MD5:71F0B9F90AA4BB5E605DF0EA58673578
SHA256:D0E10445281CF3195C2A1AA4E0E937D69CAE07C492B74C9C796498DB33E9F535
6656Flaron.exeC:\Users\admin\AppData\Local\Temp\_MEI66562\_hashlib.pydexecutable
MD5:7EDB6C172C0E44913E166ABB50E6FBA6
SHA256:258AD0D7E8B2333B4B260530E14EBE6ABD12CAE0316C4549E276301E5865B531
6656Flaron.exeC:\Users\admin\AppData\Local\Temp\_MEI66562\_sqlite3.pydexecutable
MD5:72A0715CB59C5A84A9D232C95F45BF57
SHA256:D125E113E69A49E46C5534040080BDB35B403EB4FF4E74ABF963BCE84A6C26AD
6656Flaron.exeC:\Users\admin\AppData\Local\Temp\_MEI66562\base_library.zipcompressed
MD5:1F87C249816C9B9FE98575C61CD205FF
SHA256:7DD939C04482FAA594CAA133D7F80FF8A37EB1AD22151CCDA2DE2A213A66433B
6656Flaron.exeC:\Users\admin\AppData\Local\Temp\_MEI66562\_socket.pydexecutable
MD5:57DC6A74A8F2FAACA1BA5D330D7C8B4B
SHA256:5B73B9EA327F7FB4CEFDDD65D6050CDEC2832E2E634FCBF4E98E0F28D75AD7CA
6656Flaron.exeC:\Users\admin\AppData\Local\Temp\_MEI66562\_ssl.pydexecutable
MD5:8F94142C7B4015E780011C1B883A2B2F
SHA256:8B6C028A327E887F1B2CCD35661C4C7C499160E0680CA193B5C818327A72838C
6656Flaron.exeC:\Users\admin\AppData\Local\Temp\_MEI66562\libcrypto-1_1.dllexecutable
MD5:E5AECAF59C67D6DD7C7979DFB49ED3B0
SHA256:9D2257D0DE8172BCC8F2DBA431EB91BD5B8AC5A9CBE998F1DCAC0FAC818800B1
6656Flaron.exeC:\Users\admin\AppData\Local\Temp\_MEI66562\_ctypes.pydexecutable
MD5:7ECC651B0BCF9B93747A710D67F6C457
SHA256:B43963B0883BA2E99F2B7DD2110D33063071656C35E6575FCA203595C1C32B1A
6656Flaron.exeC:\Users\admin\AppData\Local\Temp\_MEI66562\libssl-1_1.dllexecutable
MD5:7BCB0F97635B91097398FD1B7410B3BC
SHA256:ABE8267F399A803224A1F3C737BCA14DEE2166BA43C1221950E2FBCE1314479E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
56
DNS requests
23
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1324
Flaron.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
GET
204
142.250.185.195:443
https://gstatic.com/generate_204
unknown
POST
200
20.190.160.4:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.31.1:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5944
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
blank-sorpi.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.2
  • 20.190.160.4
  • 40.126.32.133
  • 40.126.32.76
  • 40.126.32.136
  • 40.126.32.134
  • 20.190.160.5
whitelisted
gstatic.com
  • 142.250.186.131
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
discord.com
  • 162.159.137.232
  • 162.159.136.232
  • 162.159.138.232
  • 162.159.135.232
  • 162.159.128.233
whitelisted

Threats

PID
Process
Class
Message
1324
Flaron.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2200
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2200
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
1324
Flaron.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2200
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
1324
Flaron.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
1324
Flaron.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
1324
Flaron.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Flaron.exe