Indicator,Data,Notes,,,,
sha256,92e2dafb6d91ac7bc725e680d53cfbfcc854033d14f6e4807fd0169c605324d2,3.ps1 (PowerShell script),,,,
sha256,DCC938AF8FB2964A1F35ADFB221DE76FFC0BD0CCAAC91455B3638FD4DC33E8C0,EvtxParser.exe (EVTX dump),,,,
sha256,0c3baa012cdb518982ec4ae954b395f3d6b9544ead8e050370219fa584f74f3c,2.vbs (VBS script),,,,
sha256,c679a2453697c51776b8a64d59fb8bf4172906e9a4f91b3872774bd05378d28c,r.vbs (VBS script),,,,
sha256,edd0c859424ab953a92ef20cfc8b938f469253122485915d6de80d314b18b08f,mscorsvc.dll (CCoreDoor),,,,
sha256,55277d86c0707459500dbb16915665ae611d3a4e4597d51599ea8b8fe6f85f29,mscorsvc.dll (CCoreDoor),,,,
sha256,a70e8317a608dd6ea0ad8564b089a153a7e3ab7ef763899d3d806141e820148e,"ntpsapi.dll (signed, benign, ntdll.dll used for EDR unhooking)",,,,
domain,message.ooguy.com,CCoreDoor C2,,,,
ip,146.190.93.250,CCoreDoor C2,,,,