IoC,Hash
http://33zo6hifw4usofzdnz74fm2zmhd3zsknog5jboqdgblcbwrmpcqzzbid.onion,
HOW_TO_RESTORE_FILES.REDCryptoApp.txt,
"0_SysAidFormPost.jsp ",07c85871b61493897895e59107a60348df5e01d82039559e63b0b539e0fd4aca
postmgm.jsp," ee6ca74bc895c95a6957d41041051ed3cb6eb629292784b1b0a5fefa14626110"
JWrapper,
"SimpleHelp Remote Access",
http://64.31.63.240/access,
64.31.63.240,
"HealthReport.exe (NSSM)"," 84366a894120d4a8c83411925ef04de52fa56da6fad0023a71f71a9bf21259ad"
AnyDesk,
"users.dll ",e37b95bb9bee64cc0313eaad8a0269493745f89413bd78b58bb3b479b36084ae
https://cl1p.net/101012,
ScreenConnect,
"SoftPerfect Network Scanner (netscan.exe)",
Nmap,
Advanced-IP-Scanner,
Procdump,
"%COMSPEC% /Q /c echo powershell -exec bypass -enc TgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwB5AHMAdABlAG0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwATABzAGEAIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBSAGUAcwB0AHIAaQBjAHQAZQBkAEEAZABtAGkAbgAiACAALQBWAGEAbAB1AGUAIAAiADAAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABEAFcATwBSAEQAIAAtAEYAbwByAGMAZQA= ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat",
Rclone,
"un63td1n.exe (GMER) ",e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173
"aswQP_Avar.sys (Avast aswArPot)",4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f
"PDQ Deploy",
"servicio ekrnEpfwFF",
AAA.ps1,
AAQQ.exe," ba84c820016298ad5e15a5f3eb9ab608491963ff333ae0e1267ac48ac909606e"
S01.ps1,
S02.ps2,
"AdvancedRun.exe ",dfe303b38ff03d788a4a1c289b7900e17d274fbc7e9ccde43a890fd546de8cd7
"ElevateSH/SimpleService.exe ",313000b647e07fe9c08d538d160b5adb4849a7e2e19c16e5e0f188b176470229
"ElevateSH/elev_win.exe ",2322434020ca91ad96fcca38a7e5508ef9cfa29443da637cbb44a6230d928d9e