RedEngine.bin.zip

General
Target

RedEngine.bin.exe

Filesize

2MB

Completed

21-07-2021 18:55

Score
9 /10
MD5

9b3ebaad1daa140c57f78c859a720587

SHA1

36385354189232f1fec5dc1fdd5d289eab2b347e

SHA256

0e33e8f48d6bce6744e2467b195283ae899a8b59ea2f027f9062e8cc090222b0

Malware Config
Signatures 11

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
  • NirSoft WebBrowserPassView

    Description

    Password recovery tool for various web browsers

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1052-62-0x0000000000D20000-0x0000000000DB1000-memory.dmpWebBrowserPassView
    behavioral1/files/0x00050000000130e2-71.datWebBrowserPassView
    behavioral1/files/0x00050000000130e2-72.datWebBrowserPassView
    behavioral1/files/0x00050000000130e2-74.datWebBrowserPassView
    behavioral1/files/0x00040000000130e9-100.datWebBrowserPassView
    behavioral1/files/0x00040000000130e9-101.datWebBrowserPassView
    behavioral1/files/0x00040000000130e9-103.datWebBrowserPassView
    behavioral1/files/0x00040000000130e9-105.datWebBrowserPassView
  • Nirsoft

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1052-62-0x0000000000D20000-0x0000000000DB1000-memory.dmpNirsoft
    behavioral1/files/0x00050000000130e2-71.datNirsoft
    behavioral1/files/0x00050000000130e2-72.datNirsoft
    behavioral1/files/0x00050000000130e2-74.datNirsoft
    behavioral1/files/0x00040000000130e9-100.datNirsoft
    behavioral1/files/0x00040000000130e9-101.datNirsoft
    behavioral1/files/0x00040000000130e9-103.datNirsoft
    behavioral1/files/0x00040000000130e9-105.datNirsoft
  • Executes dropped EXE
    resourcefilehaha.exered.exeRedEngine.exe.exeresourcefilehaha.exe

    Reported IOCs

    pidprocess
    928resourcefilehaha.exe
    1928red.exe
    1376RedEngine.exe.exe
    828resourcefilehaha.exe
  • VMProtect packed file

    Description

    Detects executables packed with VMProtect commercial packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1052-59-0x0000000000DC0000-0x0000000000DC1000-memory.dmpvmprotect
    behavioral1/files/0x000b0000000130e2-78.datvmprotect
    behavioral1/files/0x000b0000000130e2-80.datvmprotect
    behavioral1/files/0x000b0000000130e2-81.datvmprotect
    behavioral1/memory/1928-82-0x0000000000F20000-0x0000000000F21000-memory.dmpvmprotect
  • Loads dropped DLL
    RedEngine.bin.exered.exe

    Reported IOCs

    pidprocess
    1052RedEngine.bin.exe
    1052RedEngine.bin.exe
    1052RedEngine.bin.exe
    1052RedEngine.bin.exe
    1928red.exe
    1928red.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies system certificate store
    RedEngine.bin.exered.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349RedEngine.bin.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986eRedEngine.bin.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986eRedEngine.bin.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349red.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986ered.exe
  • Suspicious behavior: EnumeratesProcesses
    resourcefilehaha.exeresourcefilehaha.exe

    Reported IOCs

    pidprocess
    928resourcefilehaha.exe
    828resourcefilehaha.exe
    828resourcefilehaha.exe
  • Suspicious use of AdjustPrivilegeToken
    RedEngine.bin.exered.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1052RedEngine.bin.exe
    Token: SeDebugPrivilege1928red.exe
  • Suspicious use of WriteProcessMemory
    RedEngine.bin.exered.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1052 wrote to memory of 9281052RedEngine.bin.exeresourcefilehaha.exe
    PID 1052 wrote to memory of 9281052RedEngine.bin.exeresourcefilehaha.exe
    PID 1052 wrote to memory of 9281052RedEngine.bin.exeresourcefilehaha.exe
    PID 1052 wrote to memory of 9281052RedEngine.bin.exeresourcefilehaha.exe
    PID 1052 wrote to memory of 19281052RedEngine.bin.exered.exe
    PID 1052 wrote to memory of 19281052RedEngine.bin.exered.exe
    PID 1052 wrote to memory of 19281052RedEngine.bin.exered.exe
    PID 1052 wrote to memory of 19281052RedEngine.bin.exered.exe
    PID 1052 wrote to memory of 13761052RedEngine.bin.exeRedEngine.exe.exe
    PID 1052 wrote to memory of 13761052RedEngine.bin.exeRedEngine.exe.exe
    PID 1052 wrote to memory of 13761052RedEngine.bin.exeRedEngine.exe.exe
    PID 1052 wrote to memory of 13761052RedEngine.bin.exeRedEngine.exe.exe
    PID 1928 wrote to memory of 8281928red.exeresourcefilehaha.exe
    PID 1928 wrote to memory of 8281928red.exeresourcefilehaha.exe
    PID 1928 wrote to memory of 8281928red.exeresourcefilehaha.exe
    PID 1928 wrote to memory of 8281928red.exeresourcefilehaha.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\RedEngine.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\RedEngine.bin.exe"
    Loads dropped DLL
    Modifies system certificate store
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe
      "C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe" /C /stext C:\Users\Admin\AppData\Local\Temp\credentialslmao.txt
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:928
    • C:\Users\Admin\AppData\Local\Temp\red.exe
      "C:\Users\Admin\AppData\Local\Temp\red.exe"
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe
        "C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe" /C /stext C:\Users\Admin\AppData\Local\Temp\credentialslmao.txt
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:828
    • C:\Users\Admin\AppData\Local\Temp\RedEngine.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\RedEngine.exe.exe"
      Executes dropped EXE
      PID:1376
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\RedEngine.exe.exe

                    MD5

                    a218c6adcbf94cdfd5feaf0c336002fd

                    SHA1

                    f02ca46438c1fa0ae534b99fffa0b919af6990f7

                    SHA256

                    d7264922a8cf09a9c745ad2ccfb11fce6f696b0184db57480d128089d4370c43

                    SHA512

                    5f0156f1a87f86970bdcd7ebb88989b6d2f613391e7af1ba176f0eabd813e0708a32b13149ced68cf5301775d16f6538f353b3de14571f2e396c524b787ef746

                  • C:\Users\Admin\AppData\Local\Temp\RedEngine.exe.exe

                    MD5

                    a218c6adcbf94cdfd5feaf0c336002fd

                    SHA1

                    f02ca46438c1fa0ae534b99fffa0b919af6990f7

                    SHA256

                    d7264922a8cf09a9c745ad2ccfb11fce6f696b0184db57480d128089d4370c43

                    SHA512

                    5f0156f1a87f86970bdcd7ebb88989b6d2f613391e7af1ba176f0eabd813e0708a32b13149ced68cf5301775d16f6538f353b3de14571f2e396c524b787ef746

                  • C:\Users\Admin\AppData\Local\Temp\credentialslmao.txt

                    MD5

                    f3b25701fe362ec84616a93a45ce9998

                    SHA1

                    d62636d8caec13f04e28442a0a6fa1afeb024bbb

                    SHA256

                    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                    SHA512

                    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                  • C:\Users\Admin\AppData\Local\Temp\credentialslmao.txt

                    MD5

                    f3b25701fe362ec84616a93a45ce9998

                    SHA1

                    d62636d8caec13f04e28442a0a6fa1afeb024bbb

                    SHA256

                    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                    SHA512

                    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                  • C:\Users\Admin\AppData\Local\Temp\red.exe

                    MD5

                    131415d2929126694a478b39272e5243

                    SHA1

                    c02b1248a5d0601006c3771f0c88dad6ec812acd

                    SHA256

                    0f9b59f8f216a956569e43b4f8356f40f58c9b73da55b4dc5882046f7dee4c64

                    SHA512

                    5f86e16b3eb8babfc5426672f0bac6cfe43d035ba931b2fafbfbc369816093c8d19e0f4981cc158314845bc5b948def9c97421e450b243289e1b0ae3fa19df23

                  • C:\Users\Admin\AppData\Local\Temp\red.exe

                    MD5

                    131415d2929126694a478b39272e5243

                    SHA1

                    c02b1248a5d0601006c3771f0c88dad6ec812acd

                    SHA256

                    0f9b59f8f216a956569e43b4f8356f40f58c9b73da55b4dc5882046f7dee4c64

                    SHA512

                    5f86e16b3eb8babfc5426672f0bac6cfe43d035ba931b2fafbfbc369816093c8d19e0f4981cc158314845bc5b948def9c97421e450b243289e1b0ae3fa19df23

                  • C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe

                    MD5

                    053778713819beab3df309df472787cd

                    SHA1

                    99c7b5827df89b4fafc2b565abed97c58a3c65b8

                    SHA256

                    f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

                    SHA512

                    35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

                  • C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe

                    MD5

                    053778713819beab3df309df472787cd

                    SHA1

                    99c7b5827df89b4fafc2b565abed97c58a3c65b8

                    SHA256

                    f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

                    SHA512

                    35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

                  • C:\Users\Admin\AppData\Local\Temp\resourcefilehaha.exe

                    MD5

                    053778713819beab3df309df472787cd

                    SHA1

                    99c7b5827df89b4fafc2b565abed97c58a3c65b8

                    SHA256

                    f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

                    SHA512

                    35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

                  • \Users\Admin\AppData\Local\Temp\RedEngine.exe.exe

                    MD5

                    a218c6adcbf94cdfd5feaf0c336002fd

                    SHA1

                    f02ca46438c1fa0ae534b99fffa0b919af6990f7

                    SHA256

                    d7264922a8cf09a9c745ad2ccfb11fce6f696b0184db57480d128089d4370c43

                    SHA512

                    5f0156f1a87f86970bdcd7ebb88989b6d2f613391e7af1ba176f0eabd813e0708a32b13149ced68cf5301775d16f6538f353b3de14571f2e396c524b787ef746

                  • \Users\Admin\AppData\Local\Temp\red.exe

                    MD5

                    131415d2929126694a478b39272e5243

                    SHA1

                    c02b1248a5d0601006c3771f0c88dad6ec812acd

                    SHA256

                    0f9b59f8f216a956569e43b4f8356f40f58c9b73da55b4dc5882046f7dee4c64

                    SHA512

                    5f86e16b3eb8babfc5426672f0bac6cfe43d035ba931b2fafbfbc369816093c8d19e0f4981cc158314845bc5b948def9c97421e450b243289e1b0ae3fa19df23

                  • \Users\Admin\AppData\Local\Temp\resourcefilehaha.exe

                    MD5

                    053778713819beab3df309df472787cd

                    SHA1

                    99c7b5827df89b4fafc2b565abed97c58a3c65b8

                    SHA256

                    f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

                    SHA512

                    35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

                  • \Users\Admin\AppData\Local\Temp\resourcefilehaha.exe

                    MD5

                    053778713819beab3df309df472787cd

                    SHA1

                    99c7b5827df89b4fafc2b565abed97c58a3c65b8

                    SHA256

                    f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

                    SHA512

                    35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

                  • \Users\Admin\AppData\Local\Temp\resourcefilehaha.exe

                    MD5

                    053778713819beab3df309df472787cd

                    SHA1

                    99c7b5827df89b4fafc2b565abed97c58a3c65b8

                    SHA256

                    f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

                    SHA512

                    35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

                  • \Users\Admin\AppData\Local\Temp\resourcefilehaha.exe

                    MD5

                    053778713819beab3df309df472787cd

                    SHA1

                    99c7b5827df89b4fafc2b565abed97c58a3c65b8

                    SHA256

                    f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

                    SHA512

                    35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

                  • memory/828-102-0x0000000000000000-mapping.dmp

                  • memory/928-75-0x0000000075721000-0x0000000075723000-memory.dmp

                  • memory/928-73-0x0000000000000000-mapping.dmp

                  • memory/1052-77-0x00000000064F0000-0x0000000006633000-memory.dmp

                  • memory/1052-65-0x0000000000500000-0x0000000000519000-memory.dmp

                  • memory/1052-64-0x00000000004C0000-0x00000000004C1000-memory.dmp

                  • memory/1052-66-0x0000000000560000-0x000000000056F000-memory.dmp

                  • memory/1052-63-0x0000000000480000-0x0000000000481000-memory.dmp

                  • memory/1052-62-0x0000000000D20000-0x0000000000DB1000-memory.dmp

                  • memory/1052-59-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

                  • memory/1376-89-0x0000000000B50000-0x0000000000B51000-memory.dmp

                  • memory/1376-86-0x0000000000000000-mapping.dmp

                  • memory/1928-95-0x00000000094B0000-0x00000000094B1000-memory.dmp

                  • memory/1928-93-0x0000000000560000-0x0000000000579000-memory.dmp

                  • memory/1928-82-0x0000000000F20000-0x0000000000F21000-memory.dmp

                  • memory/1928-79-0x0000000000000000-mapping.dmp