Indicator,Data,Notes
sha256,58a7be39056c2084bbb4aec9843db732dfe115ec4ee0c7cc4cf8884621b5142d,C:\ProgramData\mios.exe (Malicious File) used in conjuction with cmdline containing  '172.19.120.60 65211' and '178.128.221.202 443'
sha256,776d427a19d8389464f855b2f70e0ac11e896162a9f9b50bcb23f0f0aea5044f,C:\Windows\Help\Help\mscorsvc.dll (Malicious DLL)
sha256,430bf24c9a7843895cb266b440c1f911ae600a7e6b8f3885d1c000622da52b2b,C:\ProgramData\mscorsvc.dll (Malicious DLL)
sha256,a22b8ef40b8abe2bd7161f425484e82207f322fef1d0562de5bf98e2f642b477,"C:\Windows\Temp\ntpsapi.dll (EDR unhooking, benign version of ntdll.dll)"
sha256,cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272,C:\windows\syswow64\WWindows.Data.Devices.Config.dll (SharpHound/BloodHound)
sha256,e65645af3894ec55f0b55472302d288e860a10d97bc19b699facc400f778c4ee,locale.nlp (ATK/DonutLdr-A)
sha256,fa7d4fb4b43e1672c7f4656cd4275c330c2e13aff8451d68e4f305e5e5aea395,C:\Windows\debug\net.LOG (Havoc)
sha256,52e248b9fb32ac3aaa4be4b41c66f1e7d9f2d4605aae98f20584f21ea1f33202,swprv.dll (Malicious DLL sideloaded by swprv service) 
sha256,e5620b4b6371b786c72e830dc24012354642b7067bd5902da7073ce0421456b7,iscsiexe.dll (MSiSCSI payload)
sha256,6d94049b24c6ac2373d3b517515fcaeeb392458342bbb5ad4c4316e124805b5b,version.dll (Malicious DLL sideloaded by swi_update.exe)
file_path_name,c:\windows\help\help\tmdbglog.dll (,Malicious DLL sideloaded by PTWatchDog.exe
sha256,3cc8e21798462468d3bc05ddef35a558fe0dff268c433d42bd01385155084f53,"DecrptDumper.exe (Malicious File, no execution data)"
sha256,da9a53ff7486cf128e5ba80e66fcf3b1d8993d553bd9634ae8e90cbab31fd8da,c:\windows\help\prow.xml (Havoc)
sha256,8b16a3a3047f0eb93ef2b55613a76a9f5f19506428895a5ffbb3c1c44780aad7,~docpdf.tmp (Havoc)
sha256,75403191ee834075ab5334e92bda8aab267545a03ed5ed3508db36f21f4acf50,C:/PerfLogs/libcef.dll (Havoc)
sha256,609fc96700f49f7fdfa71248e642a4dfcd8b3d35f6da3b7c2ce7daad25a844a9,<REDACTED>DOC20231100001603KMAP.pdf (webshell)
sha256,e4b7a1372233aef6d495743bb726fcd5037d4e90e043085498c21587335d36c7,C:/Windows/System32/wbem/ncobjapi.dll
sha256,5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655,<REDACTED>DOC20231200001924KMAP.aspx
sha256,bdcedd81555c9c2eb9f4329626c27ec8c7b91a0f2a9f6e0c55dbcd3f99e82b5d,111 (Shellcode loader)
sha256,4995b91badc8f9bf549548a734d3c14fa2a1c21080743484028b5362440808a0,C:/Windows/Vss/Writers/Application/libcef.dll (Shellcode Loader for Havoc)
sha256,4dd0debf03eeb938fbaca1f1fd391523358c23cbf18959a149c29133cc3c9cae,C:/Windows/Vss/Writers/Application/libcef.dll (Shellcode Loader for Havoc)
sha256,101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86,<REDACTED>DOC20231200001922KMAP.asp (webshell)
sha256,9ccf0e46f6aadbb20f4c269d8ac85cc9b4e6ce56bf226d45eda4347a20785c88,<REDACTED>DOC20231200002062KMAP.php (webshell)
sha256,1622ef497f2b767a43e25bcd9a9a629cbe7bed49cb27dc4f08fe0863730580d9,log.ini (Havoc)
sha256,5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655,<REDACTED>DOC20231200001919KMAP.aspx (Webshell)
sha256,101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86,<REDACTED>DOC20231200001923KMAP.asp (Webshell)
sha256,5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655,<REDACTED>DOC20231200001924KMAP.pdf (Webshell)
sha256,5298c1aadac203285c8a95a4e3f62ec14b984729bf768a405c8028291e34fe1b,1.exe (Invoke WMI)
sha256,299b1e82f6941cc049a16c7854230fb37c97af32e2cf5cb335495f42446dc43f,"msedge_elf.dll (Shellcode Loader, Havoc)"
sha256,c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704,"chrome.exe (Shellcode Loader, Havoc)"
sha256,8d54da0f807d771edb1197e463cdff8848651e14745c4c468386c31953c340ff,"msedge_elf.dll (Shellcode Loader, Havoc)"
sha256,71ccc2c30dc43f20833c3e54d1fe86f8b68263d876461a3f7f7f8702e92cbe81,C:/ProgramData/conhost.exe (Alcatraz Git Project EDR Evasion) 
sha256,d86790104f59b89edbdb1478f320d4589155d465d4710bcb57ff015383eefb38,C:\Windows\Vss\Writers\Application\libcef.dll
sha256,2892aa48e12e72ba25c4caa9471b41ce316624ff98ed79f56e3c6b3a51026504,C:\Windows\Vss\Writers\libcef.dll
file_path_name,C:\Windows\Vss\Writers\log.bin,
sha256,2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c,C:\PerfLogs\vcruntime140.dll
sha256,c6e1bf2b7ac0fd3c34761099d2ec17fccd0604e2e62e94f297943260d15368ce,C:\PerfLogs\jli.dll
file_path_name,C:\Windows\Temp\temp.log, (Shellcode loader)
sha256,b32de9f4f2a9bd08063c72fa84d5d44be5a3bf7859bfb6ceaf093cd03ff0240f,C:\PerfLogs\pt.exe (unsigned executable with certificate stating that it is MS Edge)
sha256,f30b04a9ebc95c50fdc116260068d4d8da8005104b6366c29d0f24dbbf798957,C:\Users\Public\r2.exe (Unknown threat file)
sha256,c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704,"C:\Users\Public\chrome.exe (Shellcode loader, WIN-PROT-VDL-MALWARE-ATK-SCLOAD-Q)"
sha256,fbe0851792629f86b1d5a599a6bc29d82b3248462bebd8e47ee698e4f510308f,C:\PerfLogs\msedge_elf.dll
ip,178.128.221.202,mios.exe C2
domain,gsenergyspeedtest.com,Cobalt Strike C2
ip,192.142.18.15,Interacted with webshell (VPN subnet)
ip,192.142.18.27,Interacted with webshell (VPN subnet)
ip,192.142.18.25,Dropped webshell (VPN subnet)
domain,hpupdate.net,Havoc C2 
url,https://www.hpupdate.net/us-en/drivers/printers,Havoc C2 URI
ip,45.15.143.151,Havoc C2
ip,198.244.237.13,Havoc C2 payload host
ip,123.253.35.100,swprv.dll C2
domain,cancelle.net,swprv.dll C2
domain,dmsz.org,swprv.dll C2
domain,gandeste.net,swprv.dll C2
ip,103.56.5.224,swprv.dll C2
ip,49.157.28.114,swprv.dll C2
ip,103.56.5.224,swprv.dll C2
ip,141.136.44.219,Havoc C2
ip,145.14.158.235,Havoc C2
ip,107.148.41.114,Havoc C2 
ip,66.42.56.233,Havoc C2 / XiebroC2
domain,test1.zhangliyong.cn,Havoc C2 / XiebroC2
ip,191.96.53.132,Havoc C2 / XiebroC2
ip,45.9.191.183,Havoc C2 / XiebroC2
ip,64.176.50.42,Havoc C2 / XiebroC2
ip,191.96.53.132,Havoc C2
ip,45.77.46.245,Havoc C2
ip,"64.176.37.107
	",Havoc C2