hxxp://files[.]msg[.]cx/Nighty2[.]2[.]zip

Analysis

max time kernel
264s
max time network
272s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
10/07/2024, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://files.msg.cx/Nighty2.2.zip

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133650671261491443"	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3280	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
2836	chrome.exe
2836	chrome.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
4744	Nighty.exe
4744	Nighty.exe
4744	Nighty.exe
4744	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
4744	Nighty.exe
4744	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
4744	Nighty.exe
4744	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
4744	Nighty.exe
4744	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
4744	Nighty.exe
4744	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
4744	Nighty.exe
4744	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
4744	Nighty.exe
4744	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
4744	Nighty.exe
4744	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe
4744	Nighty.exe
4744	Nighty.exe
1348	Nighty.exe
1348	Nighty.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4068	crack.exe
3012	Nighty.exe
480	crack.exe
2544	Nighty.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 4032	2372	chrome.exe	71
PID 2372 wrote to memory of 4032	2372	chrome.exe	71
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 4268	2372	chrome.exe	73
PID 2372 wrote to memory of 3220	2372	chrome.exe	74
PID 2372 wrote to memory of 3220	2372	chrome.exe	74
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75
PID 2372 wrote to memory of 212	2372	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://files.msg.cx/Nighty2.2.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8729f9758,0x7ff8729f9768,0x7ff8729f9778
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1696,i,493471291629522163,4879665127249671325,131072 /prefetch:2
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1940 --field-trial-handle=1696,i,493471291629522163,4879665127249671325,131072 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1696,i,493471291629522163,4879665127249671325,131072 /prefetch:8
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2644 --field-trial-handle=1696,i,493471291629522163,4879665127249671325,131072 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2668 --field-trial-handle=1696,i,493471291629522163,4879665127249671325,131072 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1696,i,493471291629522163,4879665127249671325,131072 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=1696,i,493471291629522163,4879665127249671325,131072 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1696,i,493471291629522163,4879665127249671325,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1696,i,493471291629522163,4879665127249671325,131072 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1696,i,493471291629522163,4879665127249671325,131072 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2508 --field-trial-handle=1696,i,493471291629522163,4879665127249671325,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3824

C:\Users\Admin\Downloads\Nighty2.2\selfbot\Nighty.exe
"C:\Users\Admin\Downloads\Nighty2.2\selfbot\Nighty.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:548
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:4544

C:\Users\Admin\Downloads\Nighty2.2\selfbot\Nighty.exe
"C:\Users\Admin\Downloads\Nighty2.2\selfbot\Nighty.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:824
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:2720

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Nighty2.2\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3280

C:\Users\Admin\Downloads\Nighty2.2\selfbot\crack.exe
"C:\Users\Admin\Downloads\Nighty2.2\selfbot\crack.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start Nighty.exe
  2⤵
  PID:2024
- - C:\Users\Admin\Downloads\Nighty2.2\selfbot\Nighty.exe
    Nighty.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1756
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get uuid
      4⤵
      PID:3632

C:\Users\Admin\Downloads\Nighty2.2\selfbot\crack.exe
"C:\Users\Admin\Downloads\Nighty2.2\selfbot\crack.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start Nighty.exe
  2⤵
  PID:1852
- - C:\Users\Admin\Downloads\Nighty2.2\selfbot\Nighty.exe
    Nighty.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1056
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get uuid
      4⤵
      PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1644951f-c13d-4f25-9ff7-20d4f19c35f8.tmp

Filesize
150KB

MD5
4a4b0900ef37194cf7027ba822f79e6f

SHA1
b57136af77f5a46777a53e24feab49a47ba31a66

SHA256
4a5f42078423af5c62cfe32765e4e3d0fe02d5763f5284cd01bc6a84181910e3

SHA512
f6e1718c9e6e7c83ecb95dd99516c8e7275082f2b3d4973484a5c30b71ed064a7d995cca8650ac2737ef09f29b152ab6174d68c78eb320b2a9c0366280f1cf95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4c92525f-1403-4b89-b82a-5a001f0e9ccf.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c7e0653d17108dcd443f8afea465a6a5

SHA1
dabbe15b3f9d31fbc715b59c0404bf4ce347b166

SHA256
72fd287ef0f37b371025f9233c518ecaee6723a55a0d34e9476854716eb3b01e

SHA512
a0dac4beac5386ee183881a8812819a24782a11c758a7610d92aff2f16bf736771896f0c2813081056d562185568c06cc7ffb550613c1eeded6182942cb0a505

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
873B

MD5
160a79f1e8753d9f97b9b46c52618631

SHA1
5cb8e89c37139306d284f9861c60f337977c5802

SHA256
2d397b702ec69185a6ca686e8ac01565c7df481d3177e77176323bea37103c1a

SHA512
689a854d0666e732282dbd8fdf25c3355aea731625bf676363de921f9465c69d81cc1e2500c9237331041c40373610a694da11cc11897f00ef770f700128c1dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
610e20d67f39729b2ee94c5d9e691934

SHA1
af68d543fc15fed7b770b4b5410f1c924c78872c

SHA256
a033896b310395a74beeeb652ef29bea6df762ad029b9143276044e1b5bd4b67

SHA512
18e7949863f4ca697b167c12618d703690b2ecf0c8070f56102393a0e984238ed4ee2b604c1f9c44ed19e3ed9912b2d7d8587fdd1b5e4a2e0eafacd6106a4362

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b8495272589e129b03e2a59de29e76d2

SHA1
6455a5931574f8a34221a0ef3822532eb59a58e2

SHA256
52a95ce1aab7b13a7a728b75bf82ca9527fa2de592747dae0982497321078105

SHA512
4a5081579ca5710e1153a28632d56f1814ad6c8ae3286320b183325b286761b79914ae527b000883d3aceebd81c2f9e2653edb0ef7ca503570c64d36902ca4b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1f8210542c6c7b76dccfe2d290b7440b

SHA1
7f5f16a72d7402dc8b9de9fd14548749e1c2683d

SHA256
3c59a050f32535991a9a66dbe2e507796301956769155ee71bb905a54b3b4f64

SHA512
7bca673bd820577998cff866ed250eca9d57224147b7b406fc7f6aefefbc9dd5572c03a0b86cc0ce67d992b02155aa34183892a8dd3663c083b50914bc1e1379

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7d5a9509ef766bf33d14acff8b4ab61c

SHA1
33f6ba3e31c342905a592c9d6ce0f5860cc032c6

SHA256
63e068ecaadc9d5c4531144e25897f019fc7ac32e900177ab315c6e8bb3a78ae

SHA512
e5663c196e58e70e329a5b152fbe9f683fb0ad3d9ca5e5c117bd3e54555777311620cea2de98e3be685537c412606dba0f187640c2438ee1241b94e506f622bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
98d79551eca2f57ec78cb0e55b1ee287

SHA1
70017a0c73c7217f240e51b11286af9828c3e902

SHA256
6b355a5e1a074173fad03160253499d6abf91dbfa89d9efe1a364faacc3310d1

SHA512
38277b1ab1f303d53570967e6a6b9ed09d1dae12a7b6f990866161a155f079c9163ae9be7656fec6c965258da87bcb5368c3e82c6ddbdb8c25d5b92f40c80d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
cd29189779c9973ec180b9f92138badd

SHA1
4154f8470f323d48eac5ac54eabec5ba76fcf986

SHA256
a15d19e108c62599eb5924b411a63406713997d08d40dd794ad2b3e5a7239b14

SHA512
c2a39e97fa967e2b9ca93c34b59302f2ea4beeda1604f6d26dbce221a24c227cbc4cca6aeeda2fa0751571a57e09212e6aebb59c08024a8bd75c802ac22cbdd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
3d093d5f5ab1b41502b03bf112c6cfab

SHA1
8f11500ed79e631f6b9c34b52478c619bbcf214a

SHA256
64136be013a8e88da45ede6a5cac12a6a2ebbfba179fd69f9b167faeb6ee9987

SHA512
cff800b93ead5362a5c439642a54c5b32d6a9277fd61708e5432df65c67e0131d8f86b701fd219acbb0e6ca668a3ed84dda42ce7ed156a022735d318450af03d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
ceae10228f32443b7aa788bf2d684358

SHA1
2e150d3fe43116bb4a3108d8ba9ab651f9b1742e

SHA256
18d8e230419ffb2e0a4b800d69133e3811f2a475b1af8e8fdf8d4bbf43aceec3

SHA512
404bfd51d8df8a2a4799dac7a9a8a48b26e79cc748f645102a6043b459df1bc782dabed587ff22fd44138c177ff34b87316151587157e9402ee1cff12700c445

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
76c640c893d1c50c0398b8f08d7d9536

SHA1
cc9c00903b92b7361745efba70d5bf5d2ea432e0

SHA256
fe6a61ff46c0538491397e35b24aedb40ae080b9cfdbfd58ce802fbf18c02914

SHA512
16418d2d2c85d1ff21ce6e7e272b15efcd17a2f09f81ece8505edfb636283da1d311b92150e3ce4b2d61cd9ac89352f9324356e4aa6e0cc99e8139c792c44358

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
f649b018d31e6e8c07d51a2a439be303

SHA1
f7946a35c6a116e6a65b13fb523b1cd60dbff72e

SHA256
6e6dc3d453bf45e64e39ab394a9ff3e6bb9d3b87fe8a77f6a127df23b7e4fc2c

SHA512
d087237028df17e217ffee11f929131cae1399ac3a170627104e9257f4afb88a8f70346dddc06129cf0bc286d45c0a57fd50699ac65fcef9b6f61b176b9e69e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
b3f568d9cf096658b6043eebbe4aafc4

SHA1
6d047a849ebb449e8e7eeb0abc8e6d765a595f53

SHA256
3119797b59e3a2dbaaa24f745e2403ec10fa9bf975eed3b7456fc3a609acc88d

SHA512
1496bfa82655ff35e1fedd88e85b4df8dbf05887a9fde2f3bad6a9cb7f1c80bcf41fbeea1208327890312ca4eafa0bcc7712306d75dd4988cf174ac9b4425c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cert.pem

Filesize
1KB

MD5
dd2d40c43eba319dcda4f39b08030f74

SHA1
3add55a63c2e22195eadcf9714c9e38e9a65fa3b

SHA256
8fa17cf52659a5a1ffc00e38f85554c762ac7383a920601798093d028c6b8f63

SHA512
3c3d43290bff63a2a022086d7df75b59c08227a32790a12c94a6ce908f56b6e9107d5059c6857aa8013955f501b132ade4fd29b8667fc32e3158cbe8e94e8e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\gen_py\3.10\dicts.dat

Filesize
10B

MD5
2c7344f3031a5107275ce84aed227411

SHA1
68acad72a154cbe8b2d597655ff84fd31d57c43b

SHA256
83cda9fecc9c008b22c0c8e58cbcbfa577a3ef8ee9b2f983ed4a8659596d5c11

SHA512
f58362c70a2017875d231831ae5868df22d0017b00098a28aacb5753432e8c4267aa7cbf6c5680feb2dc9b7abade5654c3651685167cc26aa208a9eb71528bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\key.pem

Filesize
1KB

MD5
b9089e1e670e38741417c8ad6b515b0d

SHA1
fb1c3c746c20bcebfb0de6c0254114b8ddd89d99

SHA256
1abdc6bbd84581a3152673db60256949f16424629ad515bf352cb6c5a81764f4

SHA512
f0612767f7bd6c346ecb00f2c884f8ff7c6063da43a6b6a04d6e465237d4948232e3937f55cb8afc41d0c7472d7aa3a577bf2df6974f5aaf6d98a4513c52d2de

Download Submit
C:\Users\Admin\AppData\Local\Temp\lefunsaddws3333.dll

Filesize
580KB

MD5
b8d9bbc472fec0f6bf553f167b53ab45

SHA1
e565574422286a50149df787ad3bf1b1aa440287

SHA256
6bb38c2b764c3e79f3c8b850eccccdcc25cb8ee5409b3802860e8d6f872084fb

SHA512
160ea7873d4050142f9e6a9213a07c3da59f033bbdbe905c562dfedf5bff6ca814dd5c7ace77f9d87cb1553e21d99915def8627e92a0596164c6545597cb37d0

Download Submit
C:\Users\Admin\AppData\Roaming\Nighty Selfbot\auth.json

Filesize
21B

MD5
d32d592a8c05b5ed4df8915c47585439

SHA1
ba4e2ea5a1bbc80004de01d0a1a63141f9c8c778

SHA256
14fdeecd3df6dd591f0d7ebf053d26e7b6aa58f993cf13887108d0f509899c8a

SHA512
db4680ce3469a9d8579d475cf60fc6d004ff09fa5e3ae3f8cb142dc2ab3fecd61718d3f808d493215aa5c85cbb5b2c330690261aad623e7baf11b50e759ec951

Download Submit
C:\Users\Admin\AppData\Roaming\Nighty Selfbot\auth.json

Filesize
59B

MD5
5d38b2387e9cbdf7717bde17c4e20cfb

SHA1
bd32292c7285e770b8e36d4d25d8b68f3b2b7114

SHA256
f4954c3e1312f3e411fae840364db6fbeafb7bc90105e8ce7a79513511fc7171

SHA512
0eb574bae735c4d7ad2a60ff24a6a743ff33f7e712899be3b4bc6a576d176c4ac99230030b173f29c58336227d9f8b3624efcb3678e61a32e0c52e98527027c7

Download Submit
C:\Users\Admin\Downloads\Nighty2.2\selfbot\config.json

Filesize
560B

MD5
f50cd81113c1bfec829073237e1aa964

SHA1
155fb38b596caec324bff4d19cb9d7f760b5291e

SHA256
c780ef77c32653c6fdccc2db14afabb6fe2141c29a74d3d1d7eb7dce679c1bcd

SHA512
9db63ca64617611ed3cb94b18f56ce88266a254b8745c47202e06e37bb19a80305c38edd6f1597082fa96a9fd5ad8b4818383d01e46d260cf93e284f7cabc1b2

Download Submit
C:\Users\Admin\Downloads\Nighty2.2\selfbot\data\images\nighty.ico

Filesize
107KB

MD5
a3f5e6169009151b1eefdda06e536110

SHA1
e0487b3cb4b75da8bd35991b9ac3823403799460

SHA256
a9ca8d6d08711c8b291c8e3ceeb598d8e15ecbf2f4368c117aff0bd0bd28f3b1

SHA512
248f4d892e6afbb869e1eff673470ac690bbe6253835fc158cfe782cad1ba54810260148a0e0ceed5f0d857ccd3a79db7ea8fcdc4279620eee4e79ca2ef603c8

Download Submit
C:\Users\Admin\Downloads\Nighty2.2\selfbot\data\languages\english\english.json

Filesize
39KB

MD5
8c071d039827174d1d5ce9d344b9c01c

SHA1
7a4ab88d462b1b1c37cac11886857af553172a0d

SHA256
e525512bd86f20980f13870a28e1e4d3d15a29195cc61ed94f47c9dffb797522

SHA512
9ad5c724bcdfeeb3c10e49ebd43a7ffe1e69b688726b5cc1fb79eaff60e22519dffbbb782bdbb2f8a77d0b440c21fd53375ccdad32e7b3636c90ec7b260e1b94

Download Submit
C:\Users\Admin\Downloads\Nighty2.2\selfbot\data\themes\nighty\nighty.json

Filesize
427B

MD5
d76971f557b40983fb3752ee5cf76da4

SHA1
3e7180132b71cc367c3aeee4b5a7b96bbe034e9c

SHA256
53baad5765647ef245a69b474c8d15e5dc9fab37bd8781378e66221b6a12237b

SHA512
db60939c10567d40b38180db0629138fb4fc58f3aec251251d8416ebca927ed65766a26b206b216ee94615f66d67b792f4491c650626bac093a7f1db7e08ccc1

Download Submit
C:\Users\Admin\Downloads\Nighty2.2\selfbot\data\webhooks.json

Filesize
633B

MD5
a844a8635179711cc7277a31f613e00f

SHA1
a2a50ef26d1f04f86c0ae8ec731c76c107d44851

SHA256
27331adff11f7cb58e961587b7536aa49ec615906f68bef1655d4771a85e7fdf

SHA512
45c4847b4295c3e003c87d37a08727d81c41d31f537c85bd5db6fa6ef47997251a0633601fa2331bd3152dd3ba968cc85df1e84f3ba6ab2fc1db6d78c1a0ab88

Download Submit
memory/480-230-0x00007FF6C73A0000-0x00007FF6C78BD000-memory.dmp

Filesize
5.1MB

Download
memory/480-274-0x00007FF6C73A0000-0x00007FF6C78BD000-memory.dmp

Filesize
5.1MB

Download
memory/1348-135-0x0000028E556C0000-0x0000028E556DA000-memory.dmp

Filesize
104KB

Download
memory/1348-136-0x0000028E55630000-0x0000028E55638000-memory.dmp

Filesize
32KB

Download
memory/1348-148-0x0000000061B00000-0x0000000061B9F000-memory.dmp

Filesize
636KB

Download
memory/1348-147-0x00007FF778D40000-0x00007FF779D40000-memory.dmp

Filesize
16.0MB

Download
memory/1348-133-0x00007FF85E7E0000-0x00007FF85E7EA000-memory.dmp

Filesize
40KB

Download
memory/1348-137-0x0000028E556E0000-0x0000028E556E8000-memory.dmp

Filesize
32KB

Download
memory/1348-132-0x0000028E555F0000-0x0000028E555FA000-memory.dmp

Filesize
40KB

Download
memory/1348-134-0x0000028E6DBC0000-0x0000028E6DC30000-memory.dmp

Filesize
448KB

Download
memory/2544-263-0x0000000061B00000-0x0000000061B9F000-memory.dmp

Filesize
636KB

Download
memory/2544-240-0x00007FF85E7E0000-0x00007FF85E7EA000-memory.dmp

Filesize
40KB

Download
memory/3012-199-0x00007FF85E7E0000-0x00007FF85E7EA000-memory.dmp

Filesize
40KB

Download
memory/3012-216-0x0000000061B00000-0x0000000061B9F000-memory.dmp

Filesize
636KB

Download
memory/4068-190-0x00007FF6C73A0000-0x00007FF6C78BD000-memory.dmp

Filesize
5.1MB

Download
memory/4068-225-0x00007FF6C73A0000-0x00007FF6C78BD000-memory.dmp

Filesize
5.1MB

Download
memory/4744-175-0x0000000061B00000-0x0000000061B9F000-memory.dmp

Filesize
636KB

Download
memory/4744-158-0x00007FF85E7E0000-0x00007FF85E7EA000-memory.dmp

Filesize
40KB

Download