File name:

Mercury.exe

Full analysis: https://app.any.run/tasks/6e05c5cc-edc0-4131-888a-5b53f1a20f0c
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: April 05, 2025, 09:06:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
njrat
bladabindi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

2E4CDABA12D62908EEDD7EB57DBB28C6

SHA1:

A246F6ACFBBAF15A51349995CDEE35505E098DD6

SHA256:

7632FBC1A1AFA85E1BB9D335ADD4452139B0EF5753A53C78ADFEF48355BF88E6

SSDEEP:

768:Pjifwoh0/mXo3goKmBX99L7vBo8sEezOOtvjrM41v1rbV62smnMlcw5f:PjifwNmYF5tvBQEezOOtrR3Y2jM5f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • RuntimeBroker.exe (PID: 7928)

    • Create files in the Startup directory

      • RuntimeBroker.exe (PID: 7928)

    • NjRAT is detected

      • RuntimeBroker.exe (PID: 7928)

    • NJRAT has been detected (YARA)

      • RuntimeBroker.exe (PID: 7928)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Mercury.exe (PID: 7180)
      • Runtime Broker.exe (PID: 7692)

    • Uses base64 encoding (POWERSHELL)

      • Mercury.exe (PID: 7180)

    • Reads the date of Windows installation

      • Mercury.exe (PID: 7180)

    • Writes data into a file (POWERSHELL)

      • Mercury.exe (PID: 7180)

    • Executable content was dropped or overwritten

      • Runtime Broker.exe (PID: 7692)
      • RuntimeBroker.exe (PID: 7928)
      • Mercury.exe (PID: 7180)

    • Starts itself from another location

      • Runtime Broker.exe (PID: 7692)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • RuntimeBroker.exe (PID: 7928)

    • Connects to unusual port

      • RuntimeBroker.exe (PID: 7928)

  • INFO

    • Reads Environment values

      • Mercury.exe (PID: 7180)

    • Reads the computer name

      • Mercury.exe (PID: 7180)
      • Runtime Broker.exe (PID: 7692)
      • RuntimeBroker.exe (PID: 7928)

    • Create files in a temporary directory

      • Mercury.exe (PID: 7180)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • Mercury.exe (PID: 7180)

    • Reads the software policy settings

      • Mercury.exe (PID: 7180)

    • Reads the machine GUID from the registry

      • Mercury.exe (PID: 7180)
      • RuntimeBroker.exe (PID: 7928)

    • Checks supported languages

      • Mercury.exe (PID: 7180)
      • RuntimeBroker.exe (PID: 7928)
      • Runtime Broker.exe (PID: 7692)

    • Process checks computer location settings

      • Mercury.exe (PID: 7180)
      • Runtime Broker.exe (PID: 7692)

    • Creates files or folders in the user directory

      • RuntimeBroker.exe (PID: 7928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(7928) RuntimeBroker.exe
C2xport.ddns.net
Ports30120
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\fc59070618756c4fcf60b192fe447301
Splitter|'|'|
Version0.7d
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:04 10:14:13+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 38912
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0xb79e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: output.exe
LegalCopyright:
OriginalFileName: output.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mercury.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs runtime broker.exe #NJRAT runtimebroker.exe netsh.exe no specs conhost.exe no specs svchost.exe mercury.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6808"C:\Users\admin\AppData\Local\Temp\Mercury.exe" C:\Users\admin\AppData\Local\Temp\Mercury.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\mercury.exe
c:\windows\system32\ntdll.dll
7180"C:\Users\admin\AppData\Local\Temp\Mercury.exe" C:\Users\admin\AppData\Local\Temp\Mercury.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\mercury.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7192\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMercury.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7300C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7332"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7692"C:\Users\admin\AppData\Local\Temp\Runtime Broker.exe" C:\Users\admin\AppData\Local\Temp\Runtime Broker.exe
Mercury.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\runtime broker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7928"C:\WINDOWS\RuntimeBroker.exe" C:\Windows\RuntimeBroker.exe
Runtime Broker.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\windows\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
NjRat
(PID) Process(7928) RuntimeBroker.exe
C2xport.ddns.net
Ports30120
BotnetHacKed
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\fc59070618756c4fcf60b192fe447301
Splitter|'|'|
Version0.7d
8004netsh firewall add allowedprogram "C:\WINDOWS\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLEC:\Windows\SysWOW64\netsh.exeRuntimeBroker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
8012\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 812
Read events
6 729
Write events
83
Delete events
0

Modification events

(PID) Process:(7928) RuntimeBroker.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:fc59070618756c4fcf60b192fe447301
Value:
"C:\WINDOWS\RuntimeBroker.exe" ..
(PID) Process:(7928) RuntimeBroker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:fc59070618756c4fcf60b192fe447301
Value:
"C:\WINDOWS\RuntimeBroker.exe" ..
(PID) Process:(7928) RuntimeBroker.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(7928) RuntimeBroker.exeKey:HKEY_CURRENT_USER\SOFTWARE\fc59070618756c4fcf60b192fe447301
Operation:writeName:[kl]
Value:
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7928RuntimeBroker.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fc59070618756c4fcf60b192fe447301.exeexecutable
MD5:EC23C8CE0BB78A93C49490074450A0C8
SHA256:65A7B6DDEE7E14D5BA772B6697EFC0F6500B25B8CFEAB6935A47780B39FE595F
7692Runtime Broker.exeC:\Windows\RuntimeBroker.exeexecutable
MD5:EC23C8CE0BB78A93C49490074450A0C8
SHA256:65A7B6DDEE7E14D5BA772B6697EFC0F6500B25B8CFEAB6935A47780B39FE595F
7180Mercury.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xtvbryx3.te2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7180Mercury.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_z54yl12g.0uf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7180Mercury.exeC:\Users\admin\AppData\Local\Temp\Runtime Broker.exeexecutable
MD5:EC23C8CE0BB78A93C49490074450A0C8
SHA256:65A7B6DDEE7E14D5BA772B6697EFC0F6500B25B8CFEAB6935A47780B39FE595F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
54
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.113:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8168
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8168
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.113:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.172.255.218:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.164.113
  • 2.16.164.114
  • 2.16.164.112
whitelisted
google.com
  • 216.58.206.46
whitelisted
client.wns.windows.com
  • 172.172.255.218
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.73
  • 40.126.31.3
  • 20.190.159.75
  • 40.126.31.128
  • 40.126.31.71
  • 40.126.31.73
  • 40.126.31.0
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
xport.ddns.net
  • 110.169.136.91
malicious
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Mercury.exe