Indicator,Data,Notes,,,,
sha256,110c5eec940f3abb8b3a671cd292bc9ef65772168325a7949290e9828353824a,sslwnd64.exe (PhantomNet),,,,
sha256,e9cb02690d987de8d392d0e24b3ccbb294c751dff73962135913c7ec0d8a8064,sslwnd64.exe (PhantomNet),,,,
sha256,c1abc254d231574044ffe7bdd030be04618916f255396197f1151bfec98c04b6,nethood.exe (PhantomNet),,,,
sha256,e8cd237ac43fa0505d858ac8eb800020eeca104a1cd931d3b6d0ef656ee5393d,oci.dll (PhantomNet),,,,
sha256,173bb620ed2eee6b356e128da88e173eb1b69253ecd616f8f984087688c089fd,"X64.dll (PhantomNet, renamed to oci.dll)",,,,
sha256,c06065d3de3bfb37168a5d94baf1c675f831a201937ef774a36c2ea2bf6fc49e,wlbsctrl.dll (EAGERBEE),,,,
sha256,b05b92fd84cc3e3bd6378cadbe9b8b2cb926c42383e6194be1df44d1b9202fc1,TSVIPSrv.dll (EAGERBEE),,,,
sha256,951c7f8fdb6cfc8b362615ab1eec4a07dc8fccfd3a7ecda8255908a93b6a1f21,TSVIPSrv.dll (EAGERBEE),,,,
sha256,01544aeb502163c4fb7bac483430059183ce3d11aee78cd4a6c7074c5289540e,C:\ProgramData\Microsoft\DeviceSync\jli.dll (EAGERBEE),,,,
sha256,47c4a62fe75aa62906f0b110668e17947e905a33759100de21b987879b47183b,C:\ProgramData\Microsoft\Vault\vmnat.dll (Merlin),,,,
sha256,7ed44a0e548ba9a3adc1eb4fbf49e773bd9c932f95efc13a092af5bed30d3595,pc2msupp.dll (Malicious DLL sideloaded by MOBPOPUP.exe),,,,
sha256,f499f8d9584e5f4474b19324b807a38fec1c1d38d5df2ff4c1e16798311bc25b,MSI64.exe (RUDEBIRD),,,,
sha256,68ee8c2209641a6796e06caa115effcb89f722a5737210b5bebb87a36e5141a8,ba0oddof.dll (CSC compilation artifact from 1.ps1 execution),,,,
sha256,9404f51ccaf4165e6add08344f04b90ae79a045814d6b1de6b6c1e30981faa78,SophosUD.exe (PowHeartBeat),,,,
sha256,0e010a36ff24299592569f7c3fc01c597e158996d94b66eb3bbf757742663e76,SophosUD.exe (PowHeartBeat),,,,
sha256,1b97afb3310b3af944f74c2d715c110cec32ec536c0a9837b8c88df3438b2a63,SophosUD2.exe (PowHeartBeat),,,,
sha256,2a662b58f1dd229e7dba923a4d123658e3c10c0cfcec03748fbe577db81db34d,SensAPI.dll (Malicious DLL sideloaded by ph.exe),,,,
sha256,bbc0fe549a9e902528a125abd13b1f7c53746416d9c9bb91f88877f37a4ce11c,"C:\ProgramData\Microsoft\Windows\svcchost.dll (Malicious DLL sideloaded by renamed vmnat.exe, svcchost.exe)",,,,
domain,cloud.keepasses.com,Merlin C2,,,,
ip,89.44.197.74,Merlin C2,,,,
domain,scancenter.trendrealtime.com,RUDEBIRD C2,,,,
ip,185.195.237.123,RUDEBIRD C2; EAGERBEE C2,,,,
ip,195.123.247.50,RUDEBIRD C2,,,,
ip,172.67.130.71,PhantomNet C2,,,,
ip,45.90.58.103,PhantomNet C2; RUDEBIRD C2,,,,
ip,185.195.237.121,PhantomNet C2,,,,
ip,104.21.3.57,PhantomNet C2,,,,
ip,185.82.217.164,PhantomNet C2,,,,
ip,195.123.245.79,PhantomNet C2,,,,
ip,associate.feedfoodconcerning.info,PhantomNet C2,,,,
ip,associate.freeonlinelearningtech.com,PhantomNet C2,,,,
ip,msudapis.info,PowHeartBeat C2,,,,
ip,154.39.137.29,PowHeartBeat C2,,,,
ip,147.139.47.141,PowHeartBeat C2,,,,
ip,185.167.116.30,PhantomNet C2; EAGERBEE C2,,,,
ip,associate.freeonlinelearning.com,EAGERBEE C2,,,,
ip,91.220.202.143,EAGERBEE C2,,,,
ip,139.162.18.97,dllhost.exe,,,,