lumma | c073f7342adeff3ddc1335e76377d8042daf667f4f677e037c0a97157d469524

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 21:32

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

collapse.space.zip
Size

46.9MB
MD5

d3aef4cc6b720226773cf5780cc16bee
SHA1

4f7ffca4353d2eb214d7c34b6722f545864263a3
SHA256

c073f7342adeff3ddc1335e76377d8042daf667f4f677e037c0a97157d469524
SHA512

3981c757e9a7c470c70af5acc55d9fd9201ee70eb9eb98c1fe6e896dfc3a1a96633bb8e4c49f78668e3e5f48e2b24d468b475d783ae3a01f738359536ec78e84
SSDEEP

786432:s4vnw0phQU2sIi5N4ks6DW+npKpHqARNOYVqcP2JZfCs+CdjJcCGznFc01WtZ:znZMsc+DDpKKA3OpcOnzjHGzFk/

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cultureddirtys.click/api

https://suggestyuoz.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 4 IoCs

pid	Process
4600	Collapse.exe
4920	Collapse.exe
4212	Collapse.exe
2568	Collapse.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 4920	4600	Collapse.exe	129
PID 4212 set thread context of 2568	4212	Collapse.exe	140

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4752	4600	WerFault.exe	128
3696	4212	WerFault.exe	139

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "234"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133819688337647415"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3320	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
1624	chrome.exe
1624	chrome.exe
3592	taskmgr.exe
1624	chrome.exe
1624	chrome.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3708	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3708	7zFM.exe
Token: 35	3708	7zFM.exe
Token: SeSecurityPrivilege	3708	7zFM.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3708	7zFM.exe
3708	7zFM.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
8	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 3720	3712	chrome.exe	95
PID 3712 wrote to memory of 3720	3712	chrome.exe	95
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4360	3712	chrome.exe	96
PID 3712 wrote to memory of 4216	3712	chrome.exe	97
PID 3712 wrote to memory of 4216	3712	chrome.exe	97
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98
PID 3712 wrote to memory of 3228	3712	chrome.exe	98

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\collapse.space.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb4221cc40,0x7ffb4221cc4c,0x7ffb4221cc58
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1996,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2052 /prefetch:3
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1824,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2372 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3324,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4592,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4888,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5100,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5196,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5232,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5384 /prefetch:2
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5092,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4544,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4472,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3312,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5632,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4560,i,9699822178055818498,8184676264893413789,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1624

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2284

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\collapse.space\config.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3320

C:\Users\Admin\Desktop\collapse.space\Collapse.exe
"C:\Users\Admin\Desktop\collapse.space\Collapse.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4600
- C:\Users\Admin\Desktop\collapse.space\Collapse.exe
  "C:\Users\Admin\Desktop\collapse.space\Collapse.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 832
  2⤵
  - Program crash
  PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4600 -ip 4600
1⤵
PID:4764

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3592

C:\Users\Admin\Desktop\collapse.space\Collapse.exe
"C:\Users\Admin\Desktop\collapse.space\Collapse.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4212
- C:\Users\Admin\Desktop\collapse.space\Collapse.exe
  "C:\Users\Admin\Desktop\collapse.space\Collapse.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 796
  2⤵
  - Program crash
  PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4212 -ip 4212
1⤵
PID:3560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38b3055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\03f356cb-299a-4350-b2bd-089e7e86cedf.tmp

Filesize
9KB

MD5
caa81b3e946622dedf4b5df86a04b762

SHA1
930d7d31af95abf712c86ade71472e3de8a8951f

SHA256
37ffa14099041e025c9c58d8395de1658deec75d61235724d05616976a53c1bc

SHA512
5761736146ba025f966b2ee7df49961f62a10e5b567d3d889514c8c98bf5b49af1badda77b48b111aabda2997073cf5e5db34ddb1313f798ae9b22ee9883fd04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
51c2d091a82ef88fa9112da99c67a38c

SHA1
1bb3e44b54572887f2f20a711a59896548190c4d

SHA256
8daf7934fa2fe53fe7ce0d41247da2a889e4ee527774190f55eb331c95044f5a

SHA512
1a4f2034a685c8e968e47ee8e55d3d827fb7d796b9da566a5cd4394d9c6994e466f0c179728da254b46898d03e3cbd92b36a98ebb3fcb49672a3a0cec296217d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
314c7edf43e0fc4155b8748174690bd2

SHA1
53df2f151c8cdc6b77011883681741246d6d93db

SHA256
406282d7ea671096f70b369f0e3aae7a60b9c334d4cac233f21da2bf67aae6db

SHA512
6613dd3e872dcee7a2dec63a3b31d2fe1218c0215adf1860e5427a6d7dbac6cb7fcbf4b31a7627f9d46c63a5c1a72ee07ec6b4209bb2709536527581cfc1ed53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
a609610efd3e1badee76df65a84d5f56

SHA1
5ef869b4a077610bd847d908a0bf1d9706b293e7

SHA256
39e2ffc3642d11087c4a8a062605efb60a341e7eeb005ff178b64f554aebb28a

SHA512
25da8c91632c5ae640ad6c42c00e6a5529e093cda4c2d1569df8d50f5a52fd4b266cba566df06ec0ac5be2f1863b5f90b7f0e3cb26a65e9ea0b55b52d726c0fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
4ddcd7d7c7625ab2b0b4043d8a43066c

SHA1
f35f26c7d198f6f55454c0cafc2a237e93803d85

SHA256
8dfa8c62bce275f5d0a241176f38ebcf5149ef76a2f759ce0759f38b83ad3388

SHA512
b6ee19174e70f85c8eea0ad242b33d0da04bdeeb5b970c8559455023165bef2d6584fb78efbe3fabce2ee89f0f2d9726ed027cf1480caa548b70ab6c44e64bc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
5e74050292310785625ad9a0541e09bc

SHA1
58f1b9c44bf7ae6f46eb4e20947851619364c11b

SHA256
ca2c76446064cee42c9602320a83e71e381392622e308a3b58763a03d82773be

SHA512
1facb19d02e56ce421cdff299aaf4c94773abc1a2e9d1b34610dca505d270d3b08d6aad0c99ecce9b64c2de61891cb1454c0249946a01eb4102598625996daec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7fb784126641ffd801c66c457e71bdb8

SHA1
b6f1af10e1917cc41f4ea3f854c5e9ba8855799f

SHA256
6937f45b1851d1c3001356f0092e318900b935b28e333916d8dad8bce9632403

SHA512
b81d3e2074c654e77a82798f111524f863e15ac4885fe790896396f5f39e70b8bf7295bb3633ca776613cc7d5c6c1f69166b3d65b1a40dc1d2374075a7d6a287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\fb4f22e2-f636-490f-ace0-f66083b69d24.tmp

Filesize
523B

MD5
19bbf9ada3cce970c791e1b1d87fa77b

SHA1
e8b25fedf4c44271ced862850816c716328b3673

SHA256
25c93d9734b5f737d0fa685b799dbca44aea42cede404262dd1ce7d58bf4b6f9

SHA512
193f22b766c1a0465b8b763bfc0eb06af84236d64ac389e3208c5bdef2bc04b833ae42e9c9d075c3e3ca55b78e0b24e1323a9c3cd0536c5f78a43f8138169191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8105322313dde341402a80a457ae28da

SHA1
7bc37ebece146178ec65a7f0da78c1c24acc9bbe

SHA256
bd6d722cddf2120413e93ddaada19056ee70445d4bfe6643861a736967c666c0

SHA512
55dacbc6b697bb8f448544d8377ad50ac593cac16e7a4da0ecdcd339dcb94851202180f98aea8e951bef56cc5f46178d4b9c29bf6e4e7c03235a28851297ec02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
693ab62dcf5052be1d384122b009a43a

SHA1
8ec5b720a756ff80c43f73eef18f575e088c69ef

SHA256
d9bfbebc727d72d035b880b17c46381d71ed00b1e1f110fb1d9cb353dc8bb654

SHA512
3f4306eec2915f59fc1fb7a320db1b383cd2eda5e37914a34a99d2dd203465b673207aa0495eee52ebe3650750c1760ba39d826127cf9c452a0c594fd1e90ebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
996a257937ee967be6a4ec0ec66993a1

SHA1
c5c1b83ff54eec9dab3518d40df9ef29a3488168

SHA256
c4c8681789b937028ac770d17cb9e4f0c3c6bf360cfb75d19012ddee248e2699

SHA512
8d920863eaa2f9ad67fb62cb69c6bf3fa423f3f2e8eac3a056ca8be5ceb4708d4ec554524c8bec9cdb4a3915ab8bc8568201e620331f62af7ac198077de8433d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4e3d268bd299fbcefec731df178cc182

SHA1
04b11937dfa1ab0efc631dae6fda6f1b698ce2fa

SHA256
aab9e1930bbcf471391c317e22323e813da09e7ce46aba1d6b2eb221273f8e16

SHA512
72ace0e31199428a840bf4b2542ceb08c264bdaba0379b8283cbc7e1be68942c663527da6164534c68b51f45c92ed07d8a112b1795301e5aa617dc7f90b87654

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0bd28e46dbf785134c3f1c2162b2b32

SHA1
af6e36c03cfd0acbf1f81aa65111bb50d507d02c

SHA256
0fcf9e99953bbf5604ffb33a1b4f15051f3ec337a8f536d6dbd2bfbe3d475c67

SHA512
7e620fd102e9213c7aea333d108167abeb770c325e56a335bf9dbbd48a4d2a56a837212e78eae2614b995a695d76b7a82c9657b5e1f5b4b01e24e2b3b1038a01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bd8068249c0beb12e78b89fcc895c945

SHA1
18d2989e97fec87fc857902e59b9bfe5251782f7

SHA256
a84faa7015c4d2492e2043d93c41b884aec2831a2fb85773c4785478a689f84d

SHA512
5312e7c2f3928fd36d7bebabbd8c1fed25b25214425e9ee1007eab522aea337ef61431a9484c2ed3997d3d54cc4b88584ad5b68314aad38c7f9c0e23b60d7507

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4305a947b8c0ff13ff9411866fa2d111

SHA1
b77a9705f3d9fcdc10429a611986b6311c67ca35

SHA256
d0d18d1aba8f0f66fd1d051270b99484a7c5aa95c8002ff4f19c0849930edbfe

SHA512
227a0bc5aafa24a71331bace9bce3ba6c2d67e90ad5e98b5c6befd9302a6892caefaacfd6dc00e0d02f183e8e72c3a4a3cb150cf5e7afca31f115ef57078b337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dd71f76a71b15b7ee416099a1bad69ca

SHA1
dd3de733e65d7fa6769bb51f5aac63198e643c02

SHA256
9c57127edc70dde018ce7c4f0c77cbf5df9d5c6e38bb0c597fffff80e6771192

SHA512
ac73416c0a4e0f5959a5c0da6efbc2efabd7dcadca530d589f7236093dde0f04fa031efc63641f8b417173cc24abc702afa1696b62758a51c7da1592691447be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3d5e5a406ee65936fa009f183413ceb9

SHA1
088c3d9bd6294aa43f9d91ecf80ff32469bfe754

SHA256
fd9b8818c705aa8e469bf2a9b71629c86dbceefcdd27e0e4524d6bfcd2414e0a

SHA512
0e3c4563b5dde8c7608e5c8f8f8786bf5a3184a357bff2d5d136cdfac4866b1499876b853e6698840482e13e65c6af93a16e60e6c4a2bd8bb6983f845b6c7c8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
0b767d19dd2ec462da29ec292bbe15db

SHA1
a2d51ac475bdb2c142cdff65cc002542a43a4842

SHA256
13563897061e7cc9c9ed8ef6cf8c02a0619acc5b8e35cc395fd621c49fc96d16

SHA512
bcba17aa3cd2b6f7db11def1b98d82d760eee7a0694829761ef400b5118423f2584b4d1241256c1001239194c9531ad033e69e6a55420b336fc29b4573e6ce4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
75e3e7663ab3049e72147c24047beb22

SHA1
f5121ccb8c657ea54bfa6e28f7e733c9895fd8c8

SHA256
fd5fdcbfefe1b66e5e0530304aed481799c19b599d0e110a90d821dc7e7d51c3

SHA512
f67913d1a321c3a4eff83e389ede3e0db18b32defabc4f398cc215e641c1b3b6de7f5c1ae222626f68bf15e072d5a65c2e129fca8d67de0e01b1ab265954d57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
f80165e7a373c2d6382df74ecb084da9

SHA1
294daba7073ec713198bb7e1f8e05564bf61a266

SHA256
f6646b4a5bd93ec7dd49cf5bbdb0e4978b3510d9050f926d945290a92471eb7f

SHA512
76f2cb7c52dda3fd18e3fa65d7061563827fea70b4d3a7100cb256c4955c8ba253b70b03892402d1b59c352b2c429ca41c626b3a00f12254bb42444c31debd34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
da474f37e3d6dd6890bc23276b4d5ba5

SHA1
41317e97876bba3b40726d7d802d374382bc2ce7

SHA256
86084b1a374ba37d49c3774fa451f3c129d652cb241415176b00ef635403279e

SHA512
dde9201778f9546ede32e17615e5f9d750886518851925cc25e7564ba51f2f2743095773f8efc9c41f5d55e32a29f342785c89169170e881b6acd4dcfe1cf5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC7EC60B7\collapse.space\library\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3712_1083982157\31ac2433-ba0d-4121-bece-aef5a46f3378.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3712_1083982157\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Desktop\collapse.space\Collapse.exe

Filesize
386KB

MD5
3b24c481f799b84147299cef78812b39

SHA1
4f5063a450ba4278cc902514492174f4db2e33c7

SHA256
c57180301e465b4fa8cd1cce7de6ff2dbeafbf30ded68c4b099663b799c7304c

SHA512
6fc93e04b31f5b56b84579481078a560e4fa0842b2e794054eebca6e5bcd0b7c40bcaa1cfa6622030c90346b91495cd468adb3c0f80efac127823184c5cc8be5

Download Submit
memory/3592-762-0x000002C5883C0000-0x000002C5883C1000-memory.dmp

Filesize
4KB

Download
memory/3592-751-0x000002C5883C0000-0x000002C5883C1000-memory.dmp

Filesize
4KB

Download
memory/3592-761-0x000002C5883C0000-0x000002C5883C1000-memory.dmp

Filesize
4KB

Download
memory/3592-760-0x000002C5883C0000-0x000002C5883C1000-memory.dmp

Filesize
4KB

Download
memory/3592-759-0x000002C5883C0000-0x000002C5883C1000-memory.dmp

Filesize
4KB

Download
memory/3592-758-0x000002C5883C0000-0x000002C5883C1000-memory.dmp

Filesize
4KB

Download
memory/3592-757-0x000002C5883C0000-0x000002C5883C1000-memory.dmp

Filesize
4KB

Download
memory/3592-756-0x000002C5883C0000-0x000002C5883C1000-memory.dmp

Filesize
4KB

Download
memory/3592-752-0x000002C5883C0000-0x000002C5883C1000-memory.dmp

Filesize
4KB

Download
memory/3592-750-0x000002C5883C0000-0x000002C5883C1000-memory.dmp

Filesize
4KB

Download
memory/4600-731-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/4600-730-0x0000000000F50000-0x0000000000FB4000-memory.dmp

Filesize
400KB

Download
memory/4920-735-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4920-733-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads