URL:

https://github.com/NightfallGTE/Mercurial-Grabber/tree/main/Mercurial

Full analysis: https://app.any.run/tasks/821fabfc-e1dc-467e-b037-292e28f15db2
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: September 11, 2024, 04:06:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
blankgrabber
uac
python
evasion
stealer
discord
pyinstaller
susp-powershell
growtopia
discordgrabber
generic
Indicators:
MD5:

4FE77D2D31B5358457613259BC844F19

SHA1:

610DA05B30667C96D750467D16819A76185CFE40

SHA256:

7A228227E58C73B1FA7E0BC2209077A7F50404BCA53CBCB6DD7CE295DF8532DB

SSDEEP:

3:N8tEdo+DgN8kdyKxdRKdWCz:2ue8kdy6RKdT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 6848)
      • reg.exe (PID: 7444)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 3652)
      • ComputerDefaults.exe (PID: 7576)

    • Adds path to the Windows Defender exclusion list

      • Mercurial.exe (PID: 4772)
      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 7708)
      • Mercurial.exe (PID: 5148)
      • cmd.exe (PID: 2616)
      • cmd.exe (PID: 1116)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 4132)
      • MpCmdRun.exe (PID: 8016)
      • cmd.exe (PID: 2008)
      • MpCmdRun.exe (PID: 7872)

    • BlankGrabber has been detected

      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 2008)

    • Create files in the Startup directory

      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 5148)

    • Actions looks like stealing of personal data

      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 5148)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7608)
      • powershell.exe (PID: 8176)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 1812)

    • Stealers network behavior

      • Mercurial.exe (PID: 4772)

    • BLANKGRABBER has been detected (SURICATA)

      • Mercurial.exe (PID: 4772)

    • GROWTOPIA has been detected (YARA)

      • Mercurial.exe (PID: 5148)

    • DISCORDGRABBER has been detected (YARA)

      • Mercurial.exe (PID: 5148)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • chrome.exe (PID: 3208)
      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)
      • Mercurial.exe (PID: 5148)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6816)
      • cmd.exe (PID: 32)
      • cmd.exe (PID: 1840)
      • cmd.exe (PID: 6968)
      • cmd.exe (PID: 5400)
      • cmd.exe (PID: 6512)

    • Process drops python dynamic module

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)

    • Executable content was dropped or overwritten

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 4772)
      • csc.exe (PID: 4528)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)
      • Mercurial.exe (PID: 5148)
      • csc.exe (PID: 8164)

    • Changes default file association

      • reg.exe (PID: 6848)
      • reg.exe (PID: 7444)

    • Found strings related to reading or modifying Windows Defender settings

      • Mercurial.exe (PID: 6560)
      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 1084)
      • Mercurial.exe (PID: 5148)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 1480)
      • cmd.exe (PID: 6140)
      • cmd.exe (PID: 5052)
      • cmd.exe (PID: 236)

    • The process drops C-runtime libraries

      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)

    • Starts CMD.EXE for commands execution

      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 6560)
      • Mercurial.exe (PID: 5148)
      • Mercurial.exe (PID: 1084)

    • Application launched itself

      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)

    • Loads Python modules

      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 6560)

    • Get information on the list of running processes

      • Mercurial.exe (PID: 4772)
      • cmd.exe (PID: 1608)
      • cmd.exe (PID: 7868)
      • cmd.exe (PID: 7848)
      • cmd.exe (PID: 7984)
      • cmd.exe (PID: 7428)
      • Mercurial.exe (PID: 5148)
      • cmd.exe (PID: 5704)
      • cmd.exe (PID: 360)
      • cmd.exe (PID: 1828)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 7976)
      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 7172)
      • cmd.exe (PID: 7520)
      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 8116)
      • cmd.exe (PID: 2616)
      • cmd.exe (PID: 2008)
      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 7432)
      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 7336)
      • cmd.exe (PID: 7944)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 2008)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6768)
      • WMIC.exe (PID: 7216)
      • WMIC.exe (PID: 6216)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 2008)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 4672)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 2616)
      • cmd.exe (PID: 1116)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4880)
      • cmd.exe (PID: 7952)
      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 7520)
      • cmd.exe (PID: 6776)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 7596)
      • cmd.exe (PID: 7468)
      • cmd.exe (PID: 8012)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 2768)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7528)
      • WMIC.exe (PID: 7652)
      • WMIC.exe (PID: 7944)
      • WMIC.exe (PID: 6992)
      • WMIC.exe (PID: 4056)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 8100)
      • cmd.exe (PID: 6304)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8028)
      • cmd.exe (PID: 6940)
      • cmd.exe (PID: 7660)
      • cmd.exe (PID: 7200)
      • cmd.exe (PID: 7892)
      • cmd.exe (PID: 7316)
      • cmd.exe (PID: 2180)
      • cmd.exe (PID: 2228)
      • cmd.exe (PID: 7332)
      • cmd.exe (PID: 1744)
      • cmd.exe (PID: 7428)
      • cmd.exe (PID: 1084)

    • Checks for external IP

      • Mercurial.exe (PID: 4772)
      • svchost.exe (PID: 2256)
      • Mercurial.exe (PID: 5148)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 8132)
      • cmd.exe (PID: 2628)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 1812)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 7388)
      • WMIC.exe (PID: 6404)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 1812)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 1812)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6952)
      • cmd.exe (PID: 7120)
      • cmd.exe (PID: 6100)
      • cmd.exe (PID: 7416)
      • cmd.exe (PID: 7236)
      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 7884)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 7116)
      • rar.exe (PID: 4068)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 5464)
      • cmd.exe (PID: 8084)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 6912)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 2464)

  • INFO

    • Checks supported languages

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 4772)
      • tree.com (PID: 7340)
      • tree.com (PID: 6456)
      • tree.com (PID: 7292)
      • Mercurial.exe (PID: 6560)
      • tree.com (PID: 3032)
      • tree.com (PID: 7688)
      • tree.com (PID: 7188)
      • csc.exe (PID: 4528)
      • MpCmdRun.exe (PID: 8016)
      • cvtres.exe (PID: 964)
      • rar.exe (PID: 7116)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)
      • Mercurial.exe (PID: 5148)
      • tree.com (PID: 6524)
      • tree.com (PID: 6240)
      • tree.com (PID: 6308)
      • tree.com (PID: 6264)
      • tree.com (PID: 6952)
      • tree.com (PID: 3996)
      • MpCmdRun.exe (PID: 7872)
      • csc.exe (PID: 8164)
      • cvtres.exe (PID: 7740)
      • rar.exe (PID: 4068)
      • Mercurial.exe (PID: 1084)

    • The process uses the downloaded file

      • chrome.exe (PID: 3208)
      • chrome.exe (PID: 5700)
      • cmd.exe (PID: 568)
      • cmd.exe (PID: 7212)

    • Application launched itself

      • chrome.exe (PID: 3208)

    • Create files in a temporary directory

      • Mercurial.exe (PID: 6560)
      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 4772)
      • MpCmdRun.exe (PID: 8016)
      • csc.exe (PID: 4528)
      • cvtres.exe (PID: 964)
      • rar.exe (PID: 7116)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 1084)
      • Mercurial.exe (PID: 6920)
      • Mercurial.exe (PID: 5148)
      • csc.exe (PID: 8164)
      • cvtres.exe (PID: 7740)
      • rar.exe (PID: 4068)

    • Reads the computer name

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 4772)
      • MpCmdRun.exe (PID: 8016)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)
      • Mercurial.exe (PID: 5148)
      • MpCmdRun.exe (PID: 7872)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3208)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 3652)
      • WMIC.exe (PID: 6768)
      • WMIC.exe (PID: 7528)
      • WMIC.exe (PID: 7652)
      • WMIC.exe (PID: 7388)
      • WMIC.exe (PID: 6912)
      • WMIC.exe (PID: 7216)
      • WMIC.exe (PID: 7944)
      • WMIC.exe (PID: 4444)
      • ComputerDefaults.exe (PID: 7576)
      • WMIC.exe (PID: 6216)
      • WMIC.exe (PID: 6992)
      • WMIC.exe (PID: 4056)
      • WMIC.exe (PID: 6404)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 6956)
      • mshta.exe (PID: 6584)

    • Creates files in the program directory

      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 5148)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 6424)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4672)
      • powershell.exe (PID: 7076)
      • powershell.exe (PID: 7756)
      • powershell.exe (PID: 7220)
      • powershell.exe (PID: 7952)
      • powershell.exe (PID: 7676)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4672)
      • powershell.exe (PID: 7076)
      • powershell.exe (PID: 7756)
      • powershell.exe (PID: 7840)
      • powershell.exe (PID: 8004)
      • powershell.exe (PID: 7952)
      • powershell.exe (PID: 7220)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 4004)
      • powershell.exe (PID: 6940)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 4528)
      • rar.exe (PID: 7116)
      • csc.exe (PID: 8164)
      • rar.exe (PID: 4068)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 7732)
      • getmac.exe (PID: 6336)

    • Checks proxy server information

      • slui.exe (PID: 6204)

    • PyInstaller has been detected (YARA)

      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 6920)

    • Attempting to use instant messaging service

      • Mercurial.exe (PID: 4772)
      • svchost.exe (PID: 2256)

    • Reads the software policy settings

      • slui.exe (PID: 4760)
      • slui.exe (PID: 6204)

    • Manual execution by a user

      • notepad.exe (PID: 4068)
      • Mercurial.exe (PID: 6416)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Mercurial.exe (PID: 5148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
431
Monitored processes
289
Malicious processes
18
Suspicious processes
8

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #BLANKGRABBER mercurial.exe mercurial.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER mercurial.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs #BLANKGRABBER mercurial.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs powershell.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs netsh.exe no specs tree.com no specs tasklist.exe no specs tasklist.exe no specs powershell.exe no specs wmic.exe no specs tasklist.exe no specs systeminfo.exe no specs reg.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs tiworker.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs csc.exe mpcmdrun.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe notepad.exe no specs rundll32.exe no specs #BLANKGRABBER mercurial.exe mercurial.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER mercurial.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs THREAT mercurial.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs powershell.exe no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs tasklist.exe no specs tree.com no specs netsh.exe no specs reg.exe no specs systeminfo.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs mpcmdrun.exe no specs tiworker.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"C:\Windows\System32\cmd.exeMercurial.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
236C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exeMercurial.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
360C:\WINDOWS\system32\cmd.exe /c "tasklist /FO LIST"C:\Windows\System32\cmd.exeMercurial.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
568"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5280 --field-trial-handle=1912,i,5129908344691565142,16961045446827115278,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
568C:\WINDOWS\system32\cmd.exe /c "computerdefaults --nouacbypass"C:\Windows\System32\cmd.exeMercurial.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
644\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
964\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
964wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:textC:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
c:\windows\system32\sechost.dll
964\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES3626.tmp" "c:\Users\admin\AppData\Local\Temp\l2gexv3s\CSCFF82E345B43A4AA2BF51ECC558E2BC2.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
Total events
114 903
Read events
114 874
Write events
21
Delete events
8

Modification events

(PID) Process:(3208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3208) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(5700) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
010000000000000073E12E050004DB01
(PID) Process:(6848) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(3652) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3652) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3652) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
80
Suspicious files
79
Text files
135
Unknown types
3

Dropped files

PID
Process
Filename
Type
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF12b1a5.TMP
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF12b1d3.TMP
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF12b1c4.TMPtext
MD5:139F545948FC1F10256A27E3C2CEF062
SHA256:9399CC6F9C335015E086DB37208B1816A7831221A005B04AC83C4F86CC04230D
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:723783C35EAEEE1492EDB30847AE6750
SHA256:C29323F784CF873BF34992E7A2B4630B19641BF42980109E31D5AF2D487DF6F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
91
DNS requests
68
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1752
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
1752
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6012
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1764
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3208
chrome.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3208
chrome.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
unknown
whitelisted
6356
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4772
Mercurial.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
6356
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6012
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6268
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3208
chrome.exe
239.255.255.250:1900
whitelisted
7092
chrome.exe
140.82.121.3:443
github.com
GITHUB
US
shared
7092
chrome.exe
173.194.76.84:443
accounts.google.com
GOOGLE
US
whitelisted
7092
chrome.exe
185.199.110.154:443
github.githubassets.com
FASTLY
US
whitelisted
7092
chrome.exe
185.199.108.133:443
avatars.githubusercontent.com
FASTLY
US
shared
7092
chrome.exe
140.82.114.22:443
collector.github.com
GITHUB
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
github.com
  • 140.82.121.3
shared
accounts.google.com
  • 173.194.76.84
whitelisted
github.githubassets.com
  • 185.199.110.154
  • 185.199.111.154
  • 185.199.108.154
  • 185.199.109.154
whitelisted
avatars.githubusercontent.com
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.110.133
whitelisted
github-cloud.s3.amazonaws.com
  • 52.217.106.164
  • 3.5.29.50
  • 52.216.163.3
  • 54.231.137.65
  • 52.216.29.204
  • 16.182.97.25
  • 52.216.163.91
  • 52.217.201.41
shared
user-images.githubusercontent.com
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
whitelisted
collector.github.com
  • 140.82.114.22
whitelisted
content-autofill.googleapis.com
  • 142.250.186.170
  • 216.58.206.74
  • 142.250.186.138
  • 142.250.186.42
  • 142.250.185.234
  • 142.250.74.202
  • 142.250.184.234
  • 142.250.185.202
  • 216.58.206.42
  • 172.217.18.10
  • 172.217.16.202
  • 172.217.16.138
  • 142.250.184.202
  • 142.250.181.234
  • 142.250.186.106
  • 142.250.186.74
whitelisted

Threats

PID
Process
Class
Message
7092
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
7092
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4772
Mercurial.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
4772
Mercurial.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4772
Mercurial.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4772
Mercurial.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/NightfallGTE/Mercurial-Grabber/tree/main/Mercurial