hxxps://cdn[.]discordapp[.]com/attachments/1042370929608626218/1208786130707816543/Your[.]Only[.]Move[.]is[.]HUSTLE[.]v1[.]8[.]23[.]zip?ex=65e48ccf&is=65d217cf&hm=509cf7e7882f4c58c1366ff93dd0e2e930b385ab692456527dda08a78a34bf0f&

Resubmissions

18/02/2024, 15:56

240218-tdmvbscd45 1

18/02/2024, 15:56

18/02/2024, 15:53

18/02/2024, 15:53

18/02/2024, 15:51

18/02/2024, 15:48

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1042370929608626218/1208786130707816543/Your.Only.Move.is.HUSTLE.v1.8.23.zip?ex=65e48ccf&is=65d217cf&hm=509cf7e7882f4c58c1366ff93dd0e2e930b385ab692456527dda08a78a34bf0f&

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3684	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3992	msedge.exe
3992	msedge.exe
1248	identity_helper.exe
1248	identity_helper.exe
4436	msedge.exe
4436	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4200	OpenWith.exe
5452	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	firefox.exe
Token: SeDebugPrivilege	4060	firefox.exe
Token: SeDebugPrivilege	4060	firefox.exe
Token: SeDebugPrivilege	4060	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe
5452	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 1432	3992	msedge.exe	85
PID 3992 wrote to memory of 1432	3992	msedge.exe	85
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 4340	3992	msedge.exe	86
PID 3992 wrote to memory of 3388	3992	msedge.exe	87
PID 3992 wrote to memory of 3388	3992	msedge.exe	87
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88
PID 3992 wrote to memory of 5112	3992	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1042370929608626218/1208786130707816543/Your.Only.Move.is.HUSTLE.v1.8.23.zip?ex=65e48ccf&is=65d217cf&hm=509cf7e7882f4c58c1366ff93dd0e2e930b385ab692456527dda08a78a34bf0f&
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2f4c46f8,0x7ffd2f4c4708,0x7ffd2f4c4718
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4296716199923379254,12262872036659961172,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:848

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Your.Only.Move.is.HUSTLE.v1.8.23.zip\Your.Only.Move.is.HUSTLE.v1.8.23\HOW TO RUN GAME!!.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3684

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4200
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_Your.Only.Move.is.HUSTLE.v1.8.23.zip\Your.Only.Move.is.HUSTLE.v1.8.23\Your.Only.Move.is.HUSTLE.v1.8.23\YourOnlyMoveIsHUSTLE.pck"
  2⤵
  PID:2520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Temp1_Your.Only.Move.is.HUSTLE.v1.8.23.zip\Your.Only.Move.is.HUSTLE.v1.8.23\Your.Only.Move.is.HUSTLE.v1.8.23\YourOnlyMoveIsHUSTLE.pck
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4060
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.0.842944483\1159938669" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 20671 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ce392b8-3866-4030-9c71-f63b40b703b2} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 1976 1a4f8704158 gpu
      4⤵
      PID:1456
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.1.691582568\1710753309" -parentBuildID 20221007134813 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 21487 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fdb1279-29cb-4dcc-aa8c-947bd68b014e} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 2400 1a4f7406858 socket
      4⤵
      PID:5080
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.2.2117444009\1548550972" -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3148 -prefsLen 21590 -prefMapSize 233414 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99241278-4264-4c4c-b4e0-4724bb676265} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 3132 1a4fb5dae58 tab
      4⤵
      PID:4240
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.3.1066427201\1114940062" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3548 -prefsLen 25988 -prefMapSize 233414 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48199133-06a7-4a98-979f-21c9477de642} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 3568 1a4f9cd7e58 tab
      4⤵
      PID:2596
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.6.1940080935\467351027" -childID 5 -isForBrowser -prefsHandle 5420 -prefMapHandle 5424 -prefsLen 26222 -prefMapSize 233414 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ade35d3-d6c0-4ea4-9aae-4e880a6d3572} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 5412 1a4fd60df58 tab
      4⤵
      PID:4328
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.5.1416326121\623717641" -childID 4 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26222 -prefMapSize 233414 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7214aee-ec59-4b09-ae0a-1ebb83e74c79} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 5220 1a4fd60ca58 tab
      4⤵
      PID:3276
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.4.91303877\1892865858" -childID 3 -isForBrowser -prefsHandle 5088 -prefMapHandle 5076 -prefsLen 26222 -prefMapSize 233414 -jsInitHandle 1156 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d77d669f-f4ad-4095-a669-167758b9ab17} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 5104 1a4f9cfc458 tab
      4⤵
      PID:4852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5452
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\YourOnlyMoveIsHUSTLE.pck"
  2⤵
  PID:5532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\YourOnlyMoveIsHUSTLE.pck
    3⤵
    - Checks processor information in registry
    PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7f917a6b412373811b97a18f5d7ea7e1

SHA1
7d1154da0aff44084b81860fd215c8ae46b94b51

SHA256
9af13f4247feb76547fa99f576b0601bc32c92890e3453e4b25b116f33c07de7

SHA512
de50e570cfa7485a070009234fc62f4f52213c3bd27b44c9dacfdeb0d71f80cd474e2c02ad1adb205611cf2a14236a6625f05609303897bce348a2907cc524f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c3c60c1136dc1834135eef0e9e1eaddf

SHA1
56d08e52f1489da873fb582eb69bf898f1452b81

SHA256
db99fd5d3cc906a7952554710bfe6556e32f6df5093bb2c9eaff27b0e5640818

SHA512
36e48ac1da434b6d517aebf549da7e2214579be0b6803c040f6f4ca2820c67a7574918efdbe1aa6a11ef8424429f278b4c9f5e7b1c9452af2e1caa2f0f1f4987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f31b5f08743680905b62b1ac9794b6d0

SHA1
64378b0ef39d9ec651d6316147f56d78a1bd8d24

SHA256
ff3f592c66cd6ac415b9630830953fcd0c7c8e761e4c40953af2eee7f218cbd9

SHA512
8ec25efc0069a57663b187d601063f2a5f57fa197651f0dc1f44440cf0dbda5b0a208bfefa216f41669c31cf0c252d2f56e3248f4c704c776cb56a668993adfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9dc0bcf5a02bb2ebd9b38dec4d42c607

SHA1
df8dfe0225efd67eac505b7f8a099d83afe97373

SHA256
e2939e1fd4a3be409ed9fcc69b7afae48bfb3107fbddcd7e9796393875c02549

SHA512
edee2343bac7439a7aff80a1f839a93d1b3a8f5e3d7e6c78be816d2fa31a35b8f7ecfba35ae0b4c1a05eb881f51684d42e0c5463baa246f21f9b8a98615411fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
e690e7788271c8a60de7648472a749bb

SHA1
62ea62cbc7932f664bdfd2eb06b1bfba6116bba8

SHA256
b241c925b34e70a2aa01642a79ed1b4f019c0bdf15225a848dee36d6420457d2

SHA512
3f1dccfaf4f65347a93f002c6c21c854cbd7cb47bc32e4ddcb29f83e7535c054a6ed9c49a82c146712a01676357ce979e57bc201348f193cb851c6dc2be37670

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\pending_pings\96405e96-8ecb-46a8-98a0-6401ccdf0f3c

Filesize
746B

MD5
acc3ea662ec0157cca148dc5091a2430

SHA1
6e3f74556d0e441468e6ae01f832b6ee751f84c2

SHA256
8daf5ae61acc7ac7bb41e782945db2ca6d6003190e921e5b358f2164b6b083ac

SHA512
cd53e74123b7b944c6603cbfe6893c960c8f9dae6f9b74ab2909936f1c3658ff168c36d91eba8efa80956beec2531d8c043e2b9f9cfefb0c3ba393a16b3fedc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\pending_pings\dd62732d-6eb8-4218-a2e8-94dfe0874e67

Filesize
10KB

MD5
2ad6fd6a1d3ac63ba348819767f2b385

SHA1
18d0719341d7bb3dd528674189702a20711a6ca1

SHA256
baeb211df01caeb29838d48c70a41789fb5021b642a3927e1e94a7a15cd64145

SHA512
43b5871e3cc89a1f3afd893498cc3b6e465533cdee463947701ccc752cddf21161508cd7d69cec0c289c439f6cb0a7655b3908e08df92f910f131e57d25bc5a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs-1.js

Filesize
6KB

MD5
525ef94806cfa078d38ab4159cf69806

SHA1
2ff13558f307a68302ca5edbc9ac18a0d57659d7

SHA256
ed6c7d8a516fc622003c10e76436cfe431d63b670eb57e52ffd8a553f7c113dd

SHA512
67dc4e526f48f74d8b05121cb5c4c4fcafb1ff1740ae8a287e7c6abc75fb12f5f4f90f209ef82493ed1cd1bed212dccf02f54e3829c778b7216813d858d534c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs.js

Filesize
5KB

MD5
a13e018d71f29ecc4f25c207e3a6ed7c

SHA1
46e9912b3c925058be650bf824265427d4330bf0

SHA256
437ac0d931587ea9eb40d5c0fcddf9064feca53a89cc70a3796e4f5ca8cf2422

SHA512
fbaee5fbc3178af044d46994ed4a24c6cffdbef8b1a395030185012961bae3299183677309cf20fa746bb51e2346f018052d0e22c8a03b376ae42af445cbd5ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
66de97e55fa0193466ed1b65e2235123

SHA1
74e7121ede753095ac92fd5ea52943004cf0d2b9

SHA256
139ea65623c980496ba0acbc7ed932560aa7ec5d34acee6849b9aad049c3758d

SHA512
df5ed231cfa67f43b5c58844aa68ecd2a5e41df8d768a9f959d1e5c2d3aa97b6ebc5a1d55b8be3e7419e68d7d0d5082e54733dc433f49b5572c2a97176cbd1cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
994B

MD5
b2778ff84dc9a7c9a322d9568821fdad

SHA1
e447d2ed0735d4b296f8e3b07a6b26b60634fed8

SHA256
156559748f88ab559896af2de95800e71d5f86b3663cae278fdda39bb86d1f86

SHA512
21b8bc37ea9b6e2376657df34e4e4a3df682de737c963f913cb2cec32538ecb76baf8df75f042488bd83e5da68abf2f6ee7401cd040d2cda9e35014b52351d79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ef0aee5dc7b0e46951da630880fa34dd

SHA1
eaa56ccffe065c8fc258172e24b36221cc02f9e3

SHA256
bc974493a02893f30f37da1e993996d85321a0702b9fac67567434f3cd6b230c

SHA512
0cd1488155d66f4e258192a1c21933ecb52eabce34df30000029f459d6f54e135fa019c83464a134b7adf2dc097240fde2095ffba4f80378459b4f0a34cbf9b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
d45112043b8107bbf1f8dc6da1a51a67

SHA1
08a23d281107ec94713d3b40b4266e98685a0086

SHA256
58064f9b3273d5de6bd15163dac6a09fc10d6818f40f875eb33da4d4a39f1375

SHA512
b254f39751cd31730b241cf2372a90538043cd0724723a2ae0d32aa70f211e56ac42cc5c1d81341bbeb1ee0329f6010774dcb3c8dd1351e05693a29a124e322c

Download Submit
C:\Users\Admin\Downloads\SwtYciLs.pck.part

Filesize
16.8MB

MD5
067b9b39314e90095514f7981e25b7ff

SHA1
3f0ad9f4065c10e66c9d38a17bb357534b7eaa4f

SHA256
d9f01abd1f4eb9a0a64514b970708613ba5423f7e5365d08d4ce7d7bbf2b9109

SHA512
07f65c080481f2ff986712bfc5961eaa1c80f9431aa6de45d88cbde54f89cad265b7675d425690e6452343369c9e1ddd37c5a00457107d3df4b557c66af73da7

Download Submit