| FILE_PATH |
C:\Windows\Temp\havoc.exe |
Havoc C2 framework implant dropped by fake IT support vishing attack |
medium |
| FILE_PATH |
C:\Users\Public\Downloads\support_tool.exe |
Malicious executable disguised as IT support tool delivered via vishing |
medium |
| FILE_PATH |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost32.exe |
svchost32.exe (mimics legitimate svchost.exe filename with "32" suffix) placed in Startup folder by Havoc C2 for persistence; suspicious when executed from ProgramData or Startup directories instead of legitimate System32/SysWOW64 locations, when running under non-SYSTEM privileges, or when spawning child processes indicative of C2 beaconing (curl, powershell, cmd, network connections to non-Microsoft IPs). Legitimate svchost.exe only executes from System32/SysWOW64 with SYSTEM privilege, has no child processes, and never resides in user-accessible or Startup folders. |
medium |
| FILE_PATH |
C:\Windows\System32\Tasks\MicrosoftEdgeUpdateTaskMachine |
Scheduled task created at this path for Havoc C2 persistence; suspicious when MicrosoftEdgeUpdateTaskMachine is configured by non-SYSTEM processes (e.g., user execution, PowerShell, macro-spawned scripts) to execute unsigned binaries or scripts from user-writable directories rather than signed Microsoft executables from Program Files, and when task triggers originate from user logon or scheduled intervals instead of Windows Update service as in legitimate Edge updates. Hunt in EDR/logs for task creation events where parent process is not svchost.exe or Windows Update, where task Actions reference PowerShell, cmd.exe, or paths outside Program Files, or where task is modified post-creation by non-admin accounts. |
medium |
| FILE_PATH |
C:\Users\Public\havoc_beacon.dll |
Havoc C2 beacon DLL dropped during fake IT support vishing campaign |
medium |
| FILE_PATH |
C:\ProgramData\SystemData\update.exe |
Secondary payload executed after initial vishing compromise; suspicious when spawned by cmd.exe or PowerShell processes initiated from user temp directories or email clients, as legitimate Windows updates do not execute from ProgramData\SystemData and would originate from System32 or official update services. |
medium |
| FILE_PATH |
C:\Windows\Temp\AnyDesk.exe |
Suspicious when AnyDesk.exe is executed from Temp directory by processes associated with Office macros, PowerShell, or cmd.exe without corresponding legitimate remote support tickets; legitimate AnyDesk deployments typically install to Program Files with signed parent processes, whereas this artifact indicates post-compromise execution during vishing-initiated lateral movement to deploy Havoc C2 or ransomware payloads. |
medium |
| FILE_PATH |
C:\Windows\Temp\TeamViewer.exe |
Suspicious when TeamViewer.exe is executed from C:\Windows\Temp\ by non-standard processes (cmd.exe, powershell.exe, wscript.exe, or mshta.exe) rather than legitimate installation or update mechanisms, indicating post-compromise execution following successful vishing attacks; legitimate TeamViewer installations execute from Program Files\TeamViewer\ and are launched by Windows service processes (svchost.exe) or direct user interaction from known shortcuts, whereas Temp directory execution with command-line spawning parents strongly suggests malware deployment, persistence, or lateral movement by threat actors. Look for process creation events where parent process is cmd.exe/powershell.exe with TeamViewer.exe as child, file creation timestamps in Temp that differ from system boot time, network connections initiated by this Temp-resident binary to external C2 infrastructure, and absence of corresponding TeamViewer installer or update logs in Application event |
medium |
| FILE_PATH |
C:\Users\Public\Music\payload.ps1 |
PowerShell script used to download and execute Havoc C2 implant |
medium |
| FILE_PATH |
C:\ProgramData\defender_bypass.bat |
Batch script used to disable Windows Defender before ransomware deployment; suspicious when executed by non-administrative processes (Office macros, remote access tools, script interpreters), detectable in EDR/logs via cmd.exe or powershell.exe child processes issuing Defender service termination commands (Stop-Service, sc stop, taskkill) or registry modifications to DisableRealtimeMonitoring, which differs from legitimate Defender management that originates from SYSTEM/Administrator accounts via Windows Update, Group Policy, or authorized security consoles with proper service credentials and logged administrative justification, typically spawned by malicious parent processes or scripts. |
medium |
| FILE_PATH |
C:\Windows\Temp\ransom_note.txt |
Ransom note dropped to C:\Windows\Temp\ after Havoc C2 command execution and file encryption; suspicious when created by rundll32.exe, powershell.exe, or cmd.exe processes following lateral movement or registry modifications, as legitimate applications do not write ransom notes to this path during normal operations. |
medium |
| FILE_PATH |
%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt |
Reviewed by attackers to understand user activity post-vishing compromise |
low |
| FILE_PATH |
C:\Users\Public\enc_tool.exe |
Encryption binary deployed as final ransomware payload in Havoc C2 campaign |
medium |
| FILE_PATH |
C:\Windows\SysWOW64\cmd.exe |
Suspicious when spawned by unexpected parent processes (e.g., Office applications, browsers, or unsigned executables) or executed from non-standard working directories; legitimate cmd.exe typically runs from explorer.exe or user-initiated shells, whereas post-C2 deployment it appears in process chains originating from Havoc implant execution with obfuscated command-line arguments and elevated privilege escalation patterns. Monitor EDR/Sysmon for cmd.exe with parent process anomalies, network connections to C2 infrastructure, lateral movement commands (net use, psexec, RDP), and execution from temporary/AppData paths that deviate from standard Windows operation. |
low |
