hxxps://cdn[.]discordapp[.]com/attachments/1042370929608626218/1208786130707816543/Your[.]Only[.]Move[.]is[.]HUSTLE[.]v1[.]8[.]23[.]zip?ex=65e48ccf&is=65d217cf&hm=509cf7e7882f4c58c1366ff93dd0e2e930b385ab692456527dda08a78a34bf0f&

Resubmissions

18/02/2024, 15:56

240218-tdmvbscd45 1

18/02/2024, 15:56

18/02/2024, 15:53

18/02/2024, 15:53

18/02/2024, 15:51

18/02/2024, 15:48

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1042370929608626218/1208786130707816543/Your.Only.Move.is.HUSTLE.v1.8.23.zip?ex=65e48ccf&is=65d217cf&hm=509cf7e7882f4c58c1366ff93dd0e2e930b385ab692456527dda08a78a34bf0f&

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
4276	NOTEPAD.EXE
3920	NOTEPAD.EXE
1336	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2544	msedge.exe
2544	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4828	identity_helper.exe
4828	identity_helper.exe
2208	msedge.exe
2208	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe
4156	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4248	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	firefox.exe
Token: SeDebugPrivilege	924	firefox.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
4248	OpenWith.exe
924	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4420	4136	msedge.exe	86
PID 4136 wrote to memory of 4420	4136	msedge.exe	86
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 4492	4136	msedge.exe	89
PID 4136 wrote to memory of 2544	4136	msedge.exe	87
PID 4136 wrote to memory of 2544	4136	msedge.exe	87
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88
PID 4136 wrote to memory of 4240	4136	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1042370929608626218/1208786130707816543/Your.Only.Move.is.HUSTLE.v1.8.23.zip?ex=65e48ccf&is=65d217cf&hm=509cf7e7882f4c58c1366ff93dd0e2e930b385ab692456527dda08a78a34bf0f&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbcdb146f8,0x7ffbcdb14708,0x7ffbcdb14718
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13582012078115320101,8940265946080076201,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1308

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Your.Only.Move.is.HUSTLE.v1.8.23.zip\Your.Only.Move.is.HUSTLE.v1.8.23\HOW TO RUN GAME!!.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1336

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Your.Only.Move.is.HUSTLE.v1.8.23.zip\Your.Only.Move.is.HUSTLE.v1.8.23\HOW TO RUN GAME!!.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4276

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Your.Only.Move.is.HUSTLE.v1.8.23\Your.Only.Move.is.HUSTLE.v1.8.23\HOW TO RUN GAME!!.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3920

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4248
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Your.Only.Move.is.HUSTLE.v1.8.23\Your.Only.Move.is.HUSTLE.v1.8.23\Your.Only.Move.is.HUSTLE.v1.8.23\YourOnlyMoveIsHUSTLE.pck"
  2⤵
  PID:1864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Your.Only.Move.is.HUSTLE.v1.8.23\Your.Only.Move.is.HUSTLE.v1.8.23\Your.Only.Move.is.HUSTLE.v1.8.23\YourOnlyMoveIsHUSTLE.pck
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:924
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.0.1572541574\1680385220" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b55e32e1-04f9-4d68-89f2-6e7de343f41d} 924 "\\.\pipe\gecko-crash-server-pipe.924" 1964 1dfa1dc1658 gpu
      4⤵
      PID:3444
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.1.1492945700\885703210" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aee9ba2-2edb-4e33-b9d4-c50d2497f40b} 924 "\\.\pipe\gecko-crash-server-pipe.924" 2388 1df8df76b58 socket
      4⤵
      PID:4848
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.2.1661629739\446875628" -childID 1 -isForBrowser -prefsHandle 3340 -prefMapHandle 3336 -prefsLen 21603 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3534ea2a-c263-4f34-a6de-ee0e3f2f6e8a} 924 "\\.\pipe\gecko-crash-server-pipe.924" 3348 1dfa5cf0258 tab
      4⤵
      PID:2104
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.3.1442260841\669049013" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2af152a3-5343-4d2d-8251-39204d5a0d16} 924 "\\.\pipe\gecko-crash-server-pipe.924" 3700 1dfa43f5558 tab
      4⤵
      PID:2440
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.4.94560676\541913665" -childID 3 -isForBrowser -prefsHandle 5204 -prefMapHandle 5200 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7be77f4-f50a-4840-9e78-f7986fb89c70} 924 "\\.\pipe\gecko-crash-server-pipe.924" 5212 1dfa7d07858 tab
      4⤵
      PID:3848
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.6.562402805\204099574" -childID 5 -isForBrowser -prefsHandle 5516 -prefMapHandle 5520 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b87706d-7413-4aa7-9ece-bae8af7c7707} 924 "\\.\pipe\gecko-crash-server-pipe.924" 5508 1dfa825df58 tab
      4⤵
      PID:4916
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.5.1719260443\128961052" -childID 4 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7051925b-3c1f-4532-8938-7bcc49b92006} 924 "\\.\pipe\gecko-crash-server-pipe.924" 5108 1dfa825be58 tab
      4⤵
      PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a5862a0ca86c0a4e8e0b30261858e1f

SHA1
ee490d28e155806d255e0f17be72509be750bf97

SHA256
92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b

SHA512
0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
de09f1c259de748db1c27770327f252c

SHA1
e880187e1f9206e827b7520500b43eec6c955586

SHA256
f12a45f15b3c5baaf50bb4fb3745aab66051b0e3bc450f71f62d2671d8e08390

SHA512
d1b2394eadb611922258f1546143a17cb190e412116850e4bd7396ff72db632cc2451b332f51230b2c61eb4582ba4de07ce91a1605e2e70e0936b11419cb82e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c1e263111174090ed0266b150b4db24a

SHA1
845702b349c597dae84dbc347ed587d383ff6be9

SHA256
fae1796513b3316e5961f0ea1392696da5323a5b7fc4dbe5c157d4c27390ec54

SHA512
29cca94b86381782322aca835b65c7d0439d5c1793e6e66ccaf101f34e717a1d1b769dd0aa0dcacc9144b0fc5a37ce371377145b1b4c4296bf7427784c6cfdfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9a440b893ba554d2b209ca84e8753328

SHA1
adb578eb728099e17a1c4444583ddfcc3e522396

SHA256
cb6a955ccb8e45a2640ead7a8467baa1804faf737a39f1d0088144ed11e3ce68

SHA512
d6db9581ecace0f49e12b9b89f3a163d83957ec214d729020999dd577969ae74bf98bd45f2fddba342b6b13ea34f388d88d79d23891009ec7d5f0fa40a19020f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
52826cef6409f67b78148b75e442b5ea

SHA1
a675db110aae767f5910511751cc3992cddcc393

SHA256
98fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb

SHA512
f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
46c2289313e8d5a04ee8f0f23b2694e9

SHA1
f1118e1d0682d0245fe59a2984ca7a882f947ea8

SHA256
13857d47f7643d4b9f1a41c457bb0e45232ff832fa87f9db2f9bd961fa53d7d6

SHA512
c0be14a1cc1078e81b0ddf86b1dd01a521725a94021cea06a5a498e62474e88ee83dc7f0f351047dbfa3cbedf0080f95259ec635e6129e9247447f37da208bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
733808a0d2f1c549755390179778a558

SHA1
cb458a1481ee1e74388f2b99eb2776b206f01c7a

SHA256
9a607becb7764055d2253ba56bc218b4d722cf7348e68f005d07fd93ffc3328c

SHA512
b89a2b9a815205d12d4bd94ee65a18064ed6fd600f8ca13082d2a7ea82d8901dcf0fdba8d41f9919ad8a1a98c74c3a1b67e6a1aeb5b67214c8ded31358befa2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
646a4bca135d45fc5e2543b8c41e4519

SHA1
0506fb4284e642fa480f8714691abe344703dcd0

SHA256
d0cba3b15aaff5b1e0f3146bbf8f13a7e41e3818eb52b047e0deb21afbfdfd4a

SHA512
ce70c60896820da2c501f588c307561acd37ef6a5b9d3118ac83b2b4169493549ffad8949f16511d4eea9a05c5db8b6126e2ed2bf8caa8ae0800f62af7028291

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
61f29153a2efb59159b2946c5cb2c84c

SHA1
3d7221b722749fa578ebc433083b8c791e232bbf

SHA256
b52c56c7023649069f3314a687132d5b69cd712a5c0afeb48f84b2640aa04539

SHA512
61df53b1d179f5b2d3f0c64809cc80492c707f424add5b4db7839c6ca2c8b515956f8332e97324e6aa467ddf6dbe90540634eb6999493f86e6522d6853f11c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\pending_pings\8e22022b-895c-4e85-8822-55e89ba01fd7

Filesize
746B

MD5
7e312cfb2cc0a4db352f7f77d6821e45

SHA1
0ddc7be09f5a2d50b1fd45f70d70471facc8a518

SHA256
278ec6b89c197e3f5d63e822dd11c8f8bef7611c398f341c6fd725d1a519b85d

SHA512
426dd90cbe9986a12500abcddb9578dfbf312e4c3e1f757f5bca0fdf5cbbafb15a250c7574677c1f737d75521c3514d1dd7becc2fff9cc6e9c4fe1a9a7b237dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\datareporting\glean\pending_pings\9f64f9a3-0909-41e8-9b4c-c79e82ff9f97

Filesize
11KB

MD5
79e84046edcb92ebe23bc002535cdfa0

SHA1
d1f2a65b15a860dca3a74eaa372d83ed17f63380

SHA256
2cba6518af1b088da312d802ce338d7f28ec0a91b46eaf711ec371244a687dd3

SHA512
df3fc46b41a14823ab06847444f3456000e5b7e9947ec4d09db8f8cad303c834a64c1483d593cb1e91dc13ff4db966eb848a8efe976e07c245368bd8b7c901e8

Download Submit
C:\Users\Admin\Downloads\3tiohQY0.pck.part

Filesize
11.1MB

MD5
e4c67424cf5beff40b3a18dac1f7ed30

SHA1
d641da5c81da465ed4c2e85a6c1a9ef1670b52c2

SHA256
d97ff99f9861fc59b6a06f56befb3b1a98f2b8e9611476786f31a62bd8aca353

SHA512
e0fd887eff41409215a7220d06e004b3879b995b2d8a21b7ef765015efa87b24826b4876b97745ac108fd02022d9f05eb69c566f7bc21c8a8956b660a3247287

Download Submit
C:\Users\Admin\Downloads\Your.Only.Move.is.HUSTLE.v1.8.23.zip

Filesize
9.6MB

MD5
4f699d9f28df8c8d5667e457d99c34b1

SHA1
6ea02f1e55158275aa913d1a32276ba22a0bb8da

SHA256
dde1f07ebbcf0983bcbedeccc97dcb3dad9e0d30444722b511df7e7b08705caf

SHA512
11381e7ff697dddc0c4a50ff80599d3529914618beb3ee88590949550ee19c9ce8ae1d746ded973c9be1a08cd6915cff44ce4bcc786d55a41cfdab1dcff19386

Download Submit