URL:

https://github.com/NightfallGTE/Mercurial-Grabber/tree/main/Mercurial

Full analysis: https://app.any.run/tasks/821fabfc-e1dc-467e-b037-292e28f15db2
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: September 11, 2024, 04:06:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
blankgrabber
uac
python
evasion
stealer
discord
pyinstaller
susp-powershell
growtopia
discordgrabber
generic
Indicators:
MD5:

4FE77D2D31B5358457613259BC844F19

SHA1:

610DA05B30667C96D750467D16819A76185CFE40

SHA256:

7A228227E58C73B1FA7E0BC2209077A7F50404BCA53CBCB6DD7CE295DF8532DB

SSDEEP:

3:N8tEdo+DgN8kdyKxdRKdWCz:2ue8kdy6RKdT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BlankGrabber has been detected

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 6848)
      • reg.exe (PID: 7444)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 3652)
      • ComputerDefaults.exe (PID: 7576)

    • Adds path to the Windows Defender exclusion list

      • Mercurial.exe (PID: 4772)
      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 7708)
      • Mercurial.exe (PID: 5148)
      • cmd.exe (PID: 2616)
      • cmd.exe (PID: 1116)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 4132)
      • MpCmdRun.exe (PID: 8016)
      • cmd.exe (PID: 2008)
      • MpCmdRun.exe (PID: 7872)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 2008)

    • Create files in the Startup directory

      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 5148)

    • Actions looks like stealing of personal data

      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 5148)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7608)
      • powershell.exe (PID: 8176)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 1812)

    • BLANKGRABBER has been detected (SURICATA)

      • Mercurial.exe (PID: 4772)

    • Stealers network behavior

      • Mercurial.exe (PID: 4772)

    • DISCORDGRABBER has been detected (YARA)

      • Mercurial.exe (PID: 5148)

    • GROWTOPIA has been detected (YARA)

      • Mercurial.exe (PID: 5148)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • chrome.exe (PID: 3208)
      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)
      • Mercurial.exe (PID: 5148)

    • The process drops C-runtime libraries

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)

    • Process drops python dynamic module

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)

    • Executable content was dropped or overwritten

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 4772)
      • csc.exe (PID: 4528)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)
      • Mercurial.exe (PID: 5148)
      • csc.exe (PID: 8164)

    • Application launched itself

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)

    • Starts CMD.EXE for commands execution

      • Mercurial.exe (PID: 6560)
      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 1084)
      • Mercurial.exe (PID: 5148)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6816)
      • cmd.exe (PID: 1840)
      • cmd.exe (PID: 32)
      • cmd.exe (PID: 5400)
      • cmd.exe (PID: 6968)
      • cmd.exe (PID: 6512)

    • Loads Python modules

      • Mercurial.exe (PID: 6560)
      • Mercurial.exe (PID: 4772)

    • Changes default file association

      • reg.exe (PID: 6848)
      • reg.exe (PID: 7444)

    • Found strings related to reading or modifying Windows Defender settings

      • Mercurial.exe (PID: 6560)
      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 1084)
      • Mercurial.exe (PID: 5148)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 1480)
      • cmd.exe (PID: 6140)
      • cmd.exe (PID: 236)
      • cmd.exe (PID: 5052)

    • Get information on the list of running processes

      • Mercurial.exe (PID: 4772)
      • cmd.exe (PID: 1608)
      • cmd.exe (PID: 7868)
      • cmd.exe (PID: 7984)
      • cmd.exe (PID: 7848)
      • Mercurial.exe (PID: 5148)
      • cmd.exe (PID: 7428)
      • cmd.exe (PID: 360)
      • cmd.exe (PID: 1828)
      • cmd.exe (PID: 5704)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 7976)
      • cmd.exe (PID: 7520)
      • cmd.exe (PID: 7172)
      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 8116)
      • cmd.exe (PID: 2616)
      • cmd.exe (PID: 2008)
      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 7432)
      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 7336)
      • cmd.exe (PID: 7944)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 2616)
      • cmd.exe (PID: 1116)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 2008)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 2008)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4880)
      • cmd.exe (PID: 7952)
      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 7520)
      • cmd.exe (PID: 6776)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 4672)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6768)
      • WMIC.exe (PID: 7216)
      • WMIC.exe (PID: 6216)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 7468)
      • cmd.exe (PID: 7596)
      • cmd.exe (PID: 8012)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 2768)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7528)
      • WMIC.exe (PID: 7652)
      • WMIC.exe (PID: 7944)
      • WMIC.exe (PID: 4056)
      • WMIC.exe (PID: 6992)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 8100)
      • cmd.exe (PID: 6304)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8028)
      • cmd.exe (PID: 7660)
      • cmd.exe (PID: 6940)
      • cmd.exe (PID: 7200)
      • cmd.exe (PID: 7316)
      • cmd.exe (PID: 7892)
      • cmd.exe (PID: 2180)
      • cmd.exe (PID: 1744)
      • cmd.exe (PID: 2228)
      • cmd.exe (PID: 1084)
      • cmd.exe (PID: 7428)
      • cmd.exe (PID: 7332)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 1812)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 5148)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 8132)
      • cmd.exe (PID: 2628)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 1812)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 1812)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 7388)
      • WMIC.exe (PID: 6404)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6100)
      • cmd.exe (PID: 6952)
      • cmd.exe (PID: 7120)
      • cmd.exe (PID: 7416)
      • cmd.exe (PID: 7236)
      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 7884)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 5464)
      • cmd.exe (PID: 8084)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 6912)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 2464)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 7116)
      • rar.exe (PID: 4068)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 3208)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3208)

    • The process uses the downloaded file

      • chrome.exe (PID: 3208)
      • chrome.exe (PID: 5700)
      • cmd.exe (PID: 568)
      • cmd.exe (PID: 7212)

    • Reads the computer name

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 4772)
      • MpCmdRun.exe (PID: 8016)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 5148)
      • Mercurial.exe (PID: 6920)
      • MpCmdRun.exe (PID: 7872)

    • Checks supported languages

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 6560)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 4772)
      • tree.com (PID: 7340)
      • tree.com (PID: 7292)
      • tree.com (PID: 6456)
      • csc.exe (PID: 4528)
      • tree.com (PID: 3032)
      • tree.com (PID: 7188)
      • tree.com (PID: 7688)
      • MpCmdRun.exe (PID: 8016)
      • cvtres.exe (PID: 964)
      • rar.exe (PID: 7116)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 6920)
      • Mercurial.exe (PID: 1084)
      • Mercurial.exe (PID: 5148)
      • tree.com (PID: 6524)
      • tree.com (PID: 3996)
      • tree.com (PID: 6240)
      • tree.com (PID: 6308)
      • tree.com (PID: 6264)
      • tree.com (PID: 6952)
      • MpCmdRun.exe (PID: 7872)
      • csc.exe (PID: 8164)
      • cvtres.exe (PID: 7740)
      • rar.exe (PID: 4068)

    • Create files in a temporary directory

      • Mercurial.exe (PID: 6604)
      • Mercurial.exe (PID: 6560)
      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 4772)
      • MpCmdRun.exe (PID: 8016)
      • csc.exe (PID: 4528)
      • cvtres.exe (PID: 964)
      • rar.exe (PID: 7116)
      • Mercurial.exe (PID: 6416)
      • Mercurial.exe (PID: 1084)
      • Mercurial.exe (PID: 6920)
      • Mercurial.exe (PID: 5148)
      • csc.exe (PID: 8164)
      • cvtres.exe (PID: 7740)
      • rar.exe (PID: 4068)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 3652)
      • WMIC.exe (PID: 6768)
      • WMIC.exe (PID: 7528)
      • WMIC.exe (PID: 7652)
      • WMIC.exe (PID: 7388)
      • WMIC.exe (PID: 6912)
      • WMIC.exe (PID: 4444)
      • WMIC.exe (PID: 7216)
      • WMIC.exe (PID: 7944)
      • ComputerDefaults.exe (PID: 7576)
      • WMIC.exe (PID: 6216)
      • WMIC.exe (PID: 6992)
      • WMIC.exe (PID: 4056)
      • WMIC.exe (PID: 6404)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 6956)
      • mshta.exe (PID: 6584)

    • Creates files in the program directory

      • Mercurial.exe (PID: 4772)
      • Mercurial.exe (PID: 5148)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 6424)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7076)
      • powershell.exe (PID: 4672)
      • powershell.exe (PID: 7756)
      • powershell.exe (PID: 7220)
      • powershell.exe (PID: 7952)
      • powershell.exe (PID: 7676)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4672)
      • powershell.exe (PID: 7076)
      • powershell.exe (PID: 7756)
      • powershell.exe (PID: 7840)
      • powershell.exe (PID: 8004)
      • powershell.exe (PID: 7952)
      • powershell.exe (PID: 7220)
      • powershell.exe (PID: 4004)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 7676)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 4528)
      • rar.exe (PID: 7116)
      • csc.exe (PID: 8164)
      • rar.exe (PID: 4068)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 7732)
      • getmac.exe (PID: 6336)

    • PyInstaller has been detected (YARA)

      • Mercurial.exe (PID: 2572)
      • Mercurial.exe (PID: 6920)

    • Reads the software policy settings

      • slui.exe (PID: 4760)
      • slui.exe (PID: 6204)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2256)
      • Mercurial.exe (PID: 4772)

    • Manual execution by a user

      • Mercurial.exe (PID: 6416)
      • notepad.exe (PID: 4068)

    • Checks proxy server information

      • slui.exe (PID: 6204)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Mercurial.exe (PID: 5148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
431
Monitored processes
289
Malicious processes
18
Suspicious processes
8

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #BLANKGRABBER mercurial.exe mercurial.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER mercurial.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs #BLANKGRABBER mercurial.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs powershell.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs netsh.exe no specs tree.com no specs tasklist.exe no specs tasklist.exe no specs powershell.exe no specs wmic.exe no specs tasklist.exe no specs systeminfo.exe no specs reg.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs tiworker.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs csc.exe mpcmdrun.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe notepad.exe no specs rundll32.exe no specs #BLANKGRABBER mercurial.exe mercurial.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER mercurial.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs THREAT mercurial.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs powershell.exe no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs tasklist.exe no specs tree.com no specs netsh.exe no specs reg.exe no specs systeminfo.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs mpcmdrun.exe no specs tiworker.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"C:\Windows\System32\cmd.exeMercurial.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
236C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exeMercurial.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
360C:\WINDOWS\system32\cmd.exe /c "tasklist /FO LIST"C:\Windows\System32\cmd.exeMercurial.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
568"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5280 --field-trial-handle=1912,i,5129908344691565142,16961045446827115278,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
568C:\WINDOWS\system32\cmd.exe /c "computerdefaults --nouacbypass"C:\Windows\System32\cmd.exeMercurial.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
644\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
964\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
964wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:textC:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
c:\windows\system32\sechost.dll
964\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES3626.tmp" "c:\Users\admin\AppData\Local\Temp\l2gexv3s\CSCFF82E345B43A4AA2BF51ECC558E2BC2.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
Total events
114 903
Read events
114 874
Write events
21
Delete events
8

Modification events

(PID) Process:(3208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3208) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(5700) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
010000000000000073E12E050004DB01
(PID) Process:(6848) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(3652) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3652) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3652) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
80
Suspicious files
79
Text files
135
Unknown types
3

Dropped files

PID
Process
Filename
Type
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF12b1a5.TMP
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF12b1d3.TMP
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Variationsbinary
MD5:961E3604F228B0D10541EBF921500C86
SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
3208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:FCE53E052E5CF7C20819320F374DEA88
SHA256:CD95DE277E746E92CC2C53D9FC92A8F6F0C3EDFB7F1AD9A4E9259F927065BC89
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
91
DNS requests
68
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5148
Mercurial.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
1752
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
1752
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6012
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1764
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3208
chrome.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3208
chrome.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
unknown
whitelisted
4772
Mercurial.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
6356
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6356
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6012
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6268
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3208
chrome.exe
239.255.255.250:1900
whitelisted
7092
chrome.exe
140.82.121.3:443
github.com
GITHUB
US
shared
7092
chrome.exe
173.194.76.84:443
accounts.google.com
GOOGLE
US
whitelisted
7092
chrome.exe
185.199.110.154:443
github.githubassets.com
FASTLY
US
whitelisted
7092
chrome.exe
185.199.108.133:443
avatars.githubusercontent.com
FASTLY
US
shared
7092
chrome.exe
140.82.114.22:443
collector.github.com
GITHUB
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
github.com
  • 140.82.121.3
shared
accounts.google.com
  • 173.194.76.84
whitelisted
github.githubassets.com
  • 185.199.110.154
  • 185.199.111.154
  • 185.199.108.154
  • 185.199.109.154
whitelisted
avatars.githubusercontent.com
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.110.133
whitelisted
github-cloud.s3.amazonaws.com
  • 52.217.106.164
  • 3.5.29.50
  • 52.216.163.3
  • 54.231.137.65
  • 52.216.29.204
  • 16.182.97.25
  • 52.216.163.91
  • 52.217.201.41
shared
user-images.githubusercontent.com
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
whitelisted
collector.github.com
  • 140.82.114.22
whitelisted
content-autofill.googleapis.com
  • 142.250.186.170
  • 216.58.206.74
  • 142.250.186.138
  • 142.250.186.42
  • 142.250.185.234
  • 142.250.74.202
  • 142.250.184.234
  • 142.250.185.202
  • 216.58.206.42
  • 172.217.18.10
  • 172.217.16.202
  • 172.217.16.138
  • 142.250.184.202
  • 142.250.181.234
  • 142.250.186.106
  • 142.250.186.74
whitelisted

Threats

PID
Process
Class
Message
7092
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
7092
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4772
Mercurial.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
4772
Mercurial.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4772
Mercurial.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4772
Mercurial.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/NightfallGTE/Mercurial-Grabber/tree/main/Mercurial