2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2023-04-13" ,
"extends_uuid" : "" ,
"info" : "HALFRIG - Malware Analysis Report" ,
"publish_timestamp" : "1681907498" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1681907481" ,
"uuid" : "a57a8551-4e22-44b9-a72d-fa8345532029" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:clear" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"HALFRIG\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#054300" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "admiralty-scale:source-reliability=\"a\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0029ff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "estimative-language:confidence-in-analytic-judgment=\"high\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#001fc2" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "estimative-language:likelihood-probability=\"almost-certain\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "Pattern-ENVYSCOUT backend fingerprint collector" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681903524" ,
"to_ids" : true ,
"type" : "pattern-in-traffic" ,
"uuid" : "e7963e75-00ed-4542-8e3d-4d7bc73fee77" ,
"value" : "sawabfoundation.net/p.php?ip=<IP>&ua=<USER_AGENT>"
} ,
{
"category" : "Network activity" ,
"comment" : "ENVYSCOUT" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681903127" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "da0840d2-552d-4198-9f22-bb212dd53880" ,
"value" : "sawabfoundation.net/note.html"
} ,
{
"category" : "Network activity" ,
"comment" : "compromised hosting used for ENVYSCOUT" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681903133" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "2295b11f-5b27-43ea-b152-f2f2b0580e8f" ,
"value" : "sawabfoundation.net"
} ,
{
"category" : "Network activity" ,
"comment" : "CobaltStrike redirector" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681903139" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5ef9091e-b65c-4033-8136-878f4ddea0b5" ,
"value" : "communitypowersports.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Actual CobaltStrike C2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681903145" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "a04f9dd8-a1c0-43d3-9b3b-bcfd9c95747b" ,
"value" : "sanjosemotosport.com"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "7" ,
"timestamp" : "1681803944" ,
"uuid" : "9a5c7967-ce23-4e98-956b-f1e09bc6f77b" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1681803944" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "c5e93a26-3edb-468d-8231-548ab7518f30" ,
"value" : "https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1681803944" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4433e9c9-7e46-4bd1-a31b-31ec7fd42fe7" ,
"value" : "HALFRIG is a stager for CobaltStrike Beacon that was used in an espionage campaign significantly\r\noverlapping with publicly described activity linked to the APT291 and NOBELIUM2 activity sets. HALFRIG\r\nhas significant code overlap with the QUARTERRIG and it is highly probable that it was developed\r\nby the same team."
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1681803944" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a2b33d90-ff72-47d1-af81-a90215d00c96" ,
"value" : "Report"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"data" : " J V B E R i 0 x L j c N C i W 1 t b W 1 D Q o x I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 N h d G F s b 2 c v U G F n Z X M g M i A w I F I v T G F u Z y h l b i 1 V U y k g L 1 N 0 c n V j d F R y Z W V S b 290 I D E z N S A w I F I v T W F y a 0 l u Z m 88 P C 9 N Y X J r Z W Q g d H J 1 Z T 4 + L 0 1 l d G F k Y X R h I D E w N j Y g M C B S L 1 Z p Z X d l c l B y Z W Z l c m V u Y 2 V z I D E w N j c g M C B S P j 4 N C m V u Z G 9 i a g 0 K M i A w I G 9 i a g 0 K P D w v V H l w Z S 9 Q Y W d l c y 9 D b 3 V u d C A y M C 9 L a W R z W y A z I D A g U i A x N S A w I F I g M j Q g M C B S I D I 2 I D A g U i A y O S A w I F I g M z c g M C B S I D Q w I D A g U i A 0 M i A w I F I g N D M g M C B S I D Q 1 I D A g U i A 0 N i A w I F I g N D g g M C B S I D Q 5 I D A g U i A 1 M C A w I F I g N T I g M C B S I D U 0 I D A g U i A 1 N y A w I F I g N T g g M C B S I D Y w I D A g U i A x M z A g M C B S X S A + P g 0 K Z W 5 k b 2 J q D Q o z I D A g b 2 J q D Q o 8 P C 9 U e X B l L 1 B h Z 2 U v U G F y Z W 50 I D I g M C B S L 1 J l c 291 c m N l c z w 8 L 0 Z v b n Q 8 P C 9 G M S A 1 I D A g U i 9 G M i A 5 I D A g U i 9 G M y A x M S A w I F I v R j Q g M T M g M C B S P j 4 v R X h 0 R 1 N 0 Y X R l P D w v R 1 M 3 I D c g M C B S L 0 d T O C A 4 I D A g U j 4 + L 1 B y b 2 N T Z X R b L 1 B E R i 9 U Z X h 0 L 0 l t Y W d l Q i 9 J b W F n Z U M v S W 1 h Z 2 V J X S A + P i 9 N Z W R p Y U J v e F s g M C A w I D U 5 N S 4 z M i A 4 N D E u O T J d I C 9 D b 250 Z W 50 c y A 0 I D A g U i 9 H c m 91 c D w 8 L 1 R 5 c G U v R 3 J v d X A v U y 9 U c m F u c 3 B h c m V u Y 3 k v Q 1 M v R G V 2 a W N l U k d C P j 4 v V G F i c y 9 T L 1 N 0 c n V j d F B h c m V u d H M g M D 4 + D Q p l b m R v Y m o N C j Q g M C B v Y m o N C j w 8 L 0 Z p b H R l c i 9 G b G F 0 Z U R l Y 29 k Z S 9 M Z W 5 n d G g g M T A 1 N z 4 + D Q p z d H J l Y W 0 N C n i c v V h L b 9 s 4 E L 4 L 8 H / g a S E V M M 3 h m 4 u i g O u m a Y s G y M Y G 9 h D 0 o C a K a 8 D r p I q b w v + + M / K j s i X F j 6 j r g 2 C S Q 8033 w x n R u z 18 / n k L r 2 Z s 9 e v e / 35 P L 35 l t 2 y 697 o / u F L b 7 R 4 y H q X 6 X g y S + e T + 1 l v + O P r n K Y + Z O l t l r 95 w 96 + G 7 D v n U h w Q T / v H T D B T D B c S e Y 18 C B Z n n W i f 1 + x W S d 6 O + p E v f f A A L j Q b H T X i U h a M G A y O G 4 d c 8 H S x t F / K H c + d G z 8 i K 9 m 42 L k V 6 P z T n Q d s 6 S r 8 W H L f 76 w 0 a d O d I Y 6 / u l E L W B S I L m C M q Y C y g b B a f p Q l p 1 d D B j r X R L h F 4 O P 75 h o j 0 g n u J e a O S t o x x 7 Q F S B w G h D J w P B g a 4 F I w 709 G o h s H 4 i w X B / P i G o P i F K W u 8 C s t z z 4 o 4 H o 1 h m x 1 n G j j w Z i T g O i n g G i A 1 d H 47 D t 45 C e h 6 N x u F N x q F o Q x o c a E B 8 S g L i f g I k / J 6 D i 9 w n o + C o B G X + k 4 f k e i L 4 l i O A 9 t 6 E B 4 j 6 e w m k g N G q t 5 Q k z n F m h 4 M a 4 Y j U f l 0 d X B a 6 L d P o z z T P W n 6 X T x S O V i 0 n i 4 k d 2 l T 3 c 54 m K 5 y 8 q H B V 40 m i u z e H w 9 q b k U n H o L p G B l M 6 v A a G C b Y T T z U Q h D V 4 B 0 O T W 5 u 2 l p U G F M x t U S K w 0 t q R h S 8 w q Q e p w + l s n u n u 1 p v F P o 0 X 6 X g 532 M A 6 V F n X H s L B d k g p X E m z E M b a n a W V H d w D r X j h V 0 + K E q k V D 6 j N e q 5 D Y Z H V x Y R 2 X P v i x c p T 7 T e 6 C D e a M A E n A C P P c G 0 b v f F / W U H R 3 Z o Z T V 6 S F S + J o M L B 0 S Y s C G V K B m r v r N 9 d K 50 O Q 20 q 6 w b P H a 7 h 65 X / P Z y u 1 w E b R + + a P P A H E R L l J 0 B s Y l d V z w B Y C 6 d G j 3 J a u o b o K W d I Q m g M k x g W q M J q w T U W b Q t 8 e f y V w t h h X d j o l E F z I 9 F G D J z d N F Q 1 a t 1 H A f l T a c O d w Q Z E c + W Y x A Y t Y F B h o 1 j k e X q H o P W f l N 6 J 3 O f l h y t 93 + n F l g M J e q 50 I a j Q B v A U 0 r 9 L y B a w U l 912 O 5 N A Z L b b a Z R H F 3 t j O G 22 t 19 u p 8 k X R n P q P C x 9 P Z p W Q 9 x 5 h G L Y V f F C / a V R o u / K 1 X x R a A 0 e k v K J l B 7 a 6 B t m R u p u a 1 + l F w Q A Q U Z U 3 o U / + Z p v m C D + x + z R M f z D B u H f E J S B X 80 n G 6 L j 7 N k u X i T J S Z m w y x / K u Z x 2 C q f R g a O e a D B k L 18 u p b 5 F K H u 2 + q v d m 1 W 2 F L h 91 O D s r 0 2 + 3 Z t t p h 1 R J X 6 w R m 5 + 4 o e I w w D j m F z + b l l H g K Q 0 x s A 7 P B Q S 8 W 6 F a d W m k 4 D t w g G H H X 1 e E A x 966 z X / S s R C n f O c z O n q 4 d 0 A J d C C q G N d 7 q h m w n S 13 t I X s 3 V F Q v P J B C T w u q 5 p s E V H E 91 M e z + I C e y C f T 5 X X R r j 9 e B o F 0 Y 19 Z B 4 F R 7 a O y N 7 q 5 j q W Q q m 3 V y t B l Q r 31 e y 9 Z o G U n e M 19 T X p / A k 60 i 5 Z t p 1 Z D N C p t O A e / A F 5 q C d E N C m V u Z H N 0 c m V h b Q 0 K Z W 5 k b 2 J q D Q o 1 I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n Q v U 3 V i d H l w Z S 9 U c n V l V H l w Z S 9 O Y W 1 l L 0 Y x L 0 J h c 2 V G b 250 L 0 J D R E V F R S t S Y W p k a G F u a S 1 S Z W d 1 b G F y L 0 V u Y 29 k a W 5 n L 1 d p b k F u c 2 l F b m N v Z G l u Z y 9 G b 250 R G V z Y 3 J p c H R v c i A 2 I D A g U i 9 G a X J z d E N o Y X I g M z I v T G F z d E N o Y X I g M T I y L 1 d p Z H R o c y A x M D Q 0 I D A g U j 4 + D Q p l b m R v Y m o N C j Y g M C B v Y m o N C j w 8 L 1 R 5 c G U v R m 9 u d E R l c 2 N y a X B 0 b 3 I v R m 9 u d E 5 h b W U v Q k N E R U V F K 1 J h a m R o Y W 5 p L V J l Z 3 V s Y X I v R m x h Z 3 M g M z I v S X R h b G l j Q W 5 n b G U g M C 9 B c 2 N l b n Q g O T M w L 0 R l c 2 N l b n Q g L T M 0 N i 9 D Y X B I Z W l n a H Q g O T M w L 0 F 2 Z 1 d p Z H R o I D Q 3 N y 9 N Y X h X a W R 0 a C A y N D M 2 L 0 Z v b n R X Z W l n a H Q g N D A w L 1 h I Z W l n a H Q g M j U w L 1 N 0 Z W 1 W I D Q 3 L 0 Z v b n R C Q m 94 W y A t N D E 2 I C 0 z N D Y g M j A y M C A 5 M z B d I C 9 G b 250 R m l s Z T I g M T A 0 M i A w I F I + P g 0 K Z W 5 k b 2 J q D Q o 3 I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 V 4 d E d T d G F 0 Z S 9 C T S 9 O b 3 J t Y W w v Y 2 E g M T 4 + D Q p l b m R v Y m o N C j g g M C B v Y m o N C j w 8 L 1 R 5 c G U v R X h 0 R 1 N 0 Y X R l L 0 J N L 0 5 v c m 1 h b C 9 D Q S A x P j 4 N C m V u Z G 9 i a g 0 K O S A w I G 9 i a g 0 K P D w v V H l w Z S 9 G b 250 L 1 N 1 Y n R 5 c G U v V H J 1 Z V R 5 c G U v T m F t Z S 9 G M i 9 C Y X N l R m 9 u d C 9 C Q 0 R G R U U r V m V y Z G F u Y S 1 C b 2 x k L 0 V u Y 29 k a W 5 n L 1 d p b k F u c 2 l F b m N v Z G l u Z y 9 G b 250 R G V z Y 3 J p c H R v c i A x M C A w I F I v R m l y c 3 R D a G F y I D M y L 0 x h c 3 R D a G F y I D M y L 1 d p Z H R o c y A x M D Q 1 I D A g U j 4 + D Q p l b m R v Y m o N C j E w I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n R E Z X N j c m l w d G 9 y L 0 Z v b n R O Y W 1 l L 0 J D R E Z F R S t W Z X J k Y W 5 h L U J v b G Q v R m x h Z 3 M g M z I v S X R h b G l j Q W 5 n b G U g M C 9 B c 2 N l b n Q g M T A w N S 9 E Z X N j Z W 50 I C 0 y M D c v Q 2 F w S G V p Z 2 h 0 I D c 2 N S 9 B d m d X a W R 0 a C A 1 N j g v T W F 4 V 2 l k d G g g M j I 1 N y 9 G b 250 V 2 V p Z 2 h 0 I D c w M C 9 Y S G V p Z 2 h 0 I D I 1 M C 9 T d G V t V i A 1 N i 9 G b 250 Q k J v e F s g L T U 1 M C A t M j A 3 I D E 3 M D c g N z Y 1 X S A v R m 9 u d E Z p b G U y I D E w N D Y g M C B S P j 4 N C m V u Z G 9 i a g 0 K M T E g M C B v Y m o N C j w 8 L 1 R 5 c G U v R m 9 u d C 9 T d W J 0 e X B l L 1 R y d W V U e X B l L 0 5 h b W U v R j M v Q m F z Z U Z v b n Q v Q k N E R 0 V F K 1 J h a m R o Y W 5 p L V N l b W l C b 2 x k L 0 V u Y 29 k a W 5 n L 1 d p b k F u c 2 l F b m N v Z G l u Z y 9 G b 250 R G V z Y 3 J p c H R v c i A x M i A w I F I v R m l y c 3 R D a G F y I D M y L 0 x h c 3 R D a G F y I D E y M S 9 X a W R 0 a H M g M T A 1 M C A w I F I + P g 0 K Z W 5 k b 2 J q D Q o x M i A w I G 9 i a g 0 K P D w v V H l w Z S 9 G b 250 R G V z Y 3 J p c H R v c i 9 G b 250 T m F t Z S 9 C Q 0 R H R U U r U m F q Z G h h b m k t U 2 V t a U J v b G Q v R m x h Z 3 M g M z I v S X R h b G l j Q W 5 n b G U g M C 9 B c 2 N l b n Q g O T M w L 0 R l c 2 N l b n Q g L T M 0 N i 9 D Y X B I Z W l n a H
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "report-file" ,
"timestamp" : "1681803944" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "acb1b478-874b-4e5d-adbe-54b25f38c80f" ,
"value" : "HALFRIG_.pdf"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1681826311" ,
"uuid" : "fee5eb3a-c2dd-40ea-97ff-78d827b5848c" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "comment" ,
"timestamp" : "1681826311" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "d5fa3ac4-88c8-43e3-a834-3d73bc4b5991" ,
"value" : "A rule that can be used to scan for HALFRIG"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1681826311" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "71b8533b-8bbb-4e1c-a3d8-d2d3a5d58ddc" ,
"value" : "https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1681826311" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "3bbad14a-c57a-4778-8859-66a3e31088be" ,
"value" : "rule APT29_HALFRIG_OBFUSCATION\r\n{\r\nmeta:\r\ndescription = \"Detects obfuscation patterns used in HALFRIG. This rule wasn't tested against large dataset, it should be used for threat hunting and not on services like VTI.\"\r\n\r\nstrings:\r\n\r\n// Decryption constants and decryption operation\r\n\r\n$ = {48 BB 0B 91 09 19 4D FD 9B F3 }\r\n\r\n\r\n$ = {4D 8D 40 01 48 8B CA 48 8B C2 48 C1 E9 38 48 83 C9 01 48 C1 E0 08 48 8B D1 48 33 D0}\r\n\r\n\r\n$ = {C7 05 [3] 00 F7 91 4D 01 }\r\n\r\n condition:\r\n\r\nuint16(0) == 0x5A4D\r\n\r\nand\r\n\r\nfilesize < 500KB\r\n\r\nand\r\n\r\nall of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1681826311" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a88c93a9-2b8d-408b-b7f7-5e913125dc8e" ,
"value" : "APT29_HALFRIG_OBFUSCATION"
}
]
} ,
{
"comment" : "Legitimate binary used for loading malicious DLL" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681902818" ,
"uuid" : "fad6bb9e-862f-428a-9ded-fe90217d1c18" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "fad6bb9e-862f-428a-9ded-fe90217d1c18" ,
"referenced_uuid" : "f7585879-72a8-4a51-a414-cdae1aa8947c" ,
"relationship_type" : "followed-by" ,
"timestamp" : "1681902818" ,
"uuid" : "f636a565-39e9-4139-8622-b445f2523766"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681894020" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "76b9f785-a452-4d6b-b542-ee53d98c874f" ,
"value" : "d9d40cb3e2fe05cf223dc0b592a592c132340042"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681894020" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "8c520e11-bc0e-49f3-9fba-a9a1dc002990" ,
"value" : "83863beee3502e42ced7e4b6dacb9eac"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681894020" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "a6d6ca06-9010-4e37-9846-3fcea0397cc9" ,
"value" : "cb470d77087518ed7bc53ca624806c265ae2485d40ec212acc2559720940fb27"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681894020" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "6e965e9f-bf16-4ff7-852a-f706629443f7" ,
"value" : "Note.exe"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681894020" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "f7e9dcd2-4d67-4ac7-8048-660913a90ec6" ,
"value" : "1597000"
}
]
} ,
{
"comment" : "Virtual disc container" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681897981" ,
"uuid" : "b1dd9581-897d-4ac8-bd2f-98f30d601147" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "b1dd9581-897d-4ac8-bd2f-98f30d601147" ,
"referenced_uuid" : "fad6bb9e-862f-428a-9ded-fe90217d1c18" ,
"relationship_type" : "contains" ,
"timestamp" : "1681897910" ,
"uuid" : "e7afba87-3c9b-4df2-a5fe-64fdaeb68403"
} ,
{
"comment" : "" ,
"object_uuid" : "b1dd9581-897d-4ac8-bd2f-98f30d601147" ,
"referenced_uuid" : "f7585879-72a8-4a51-a414-cdae1aa8947c" ,
"relationship_type" : "contains" ,
"timestamp" : "1681897932" ,
"uuid" : "332592ba-f3be-4068-aa6e-d00d0f3e5654"
} ,
{
"comment" : "" ,
"object_uuid" : "b1dd9581-897d-4ac8-bd2f-98f30d601147" ,
"referenced_uuid" : "fab51584-fda0-4be9-88e2-d301c21dacd8" ,
"relationship_type" : "contains" ,
"timestamp" : "1681897950" ,
"uuid" : "4ecd062f-0300-4c88-bbc3-0e450490859c"
} ,
{
"comment" : "" ,
"object_uuid" : "b1dd9581-897d-4ac8-bd2f-98f30d601147" ,
"referenced_uuid" : "4e8ebc97-432e-48f6-af54-e6f1f4589a0d" ,
"relationship_type" : "contains" ,
"timestamp" : "1681897966" ,
"uuid" : "b07733b1-2d8e-44e9-9cb1-30c4a9649eb7"
} ,
{
"comment" : "" ,
"object_uuid" : "b1dd9581-897d-4ac8-bd2f-98f30d601147" ,
"referenced_uuid" : "09833510-9b3b-4e7f-974a-423e25b96e5b" ,
"relationship_type" : "contains" ,
"timestamp" : "1681897981" ,
"uuid" : "6c927fd4-5d82-411e-be5c-ee93c999b5cd"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681894160" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "f9911630-a510-4de8-860e-dd28a2c54cdc" ,
"value" : "fbb482415f5312ed64b3a0ebee7fed5e6610c21a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681894160" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "bed8b637-3828-49fd-b5ca-19a97848e783" ,
"value" : "0e5ed33778ee9c020aa067546384abcb"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681894160" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "e6386cb8-ba5f-4f13-88bb-92880808a1c9" ,
"value" : "d1455c42553fab54e78c874525c812aaefb1f3cc69f9c314649bd6e4e57b9fa9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681894160" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "c4234de5-f1f8-4289-975c-5adcdcaa7264" ,
"value" : "Note.iso"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681894160" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "27b0b487-84e3-4991-802d-f49805942220" ,
"value" : "2688000"
}
]
} ,
{
"comment" : "1st module" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681902838" ,
"uuid" : "f7585879-72a8-4a51-a414-cdae1aa8947c" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "f7585879-72a8-4a51-a414-cdae1aa8947c" ,
"referenced_uuid" : "fab51584-fda0-4be9-88e2-d301c21dacd8" ,
"relationship_type" : "followed-by" ,
"timestamp" : "1681902838" ,
"uuid" : "6df759b9-eb76-404a-aa97-8c6a47863dc7"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681894547" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "6b89113e-af2f-4b48-970d-4a177ddd940c" ,
"value" : "f61e0d09be2fc81d6f325aa7041be6136a747c2d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681894547" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "30d4314f-555d-4f81-8240-27f73229d435" ,
"value" : "f532c0247b683de8936982e86876093b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681894547" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "4b1ee9fc-8757-411d-8496-263296e00302" ,
"value" : "ddf218e4e7ccd5e8bd502fb115d1e7fbfaa393fb7e0b3b9001168caebc771c50"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681894547" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "22680f2f-2f51-4a77-bbbe-879f35f0505f" ,
"value" : "AppvIsvSubsystems64.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681894547" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "6bc25a0f-be75-41f1-8d2b-c16fc8ca1a92" ,
"value" : "27000"
}
]
} ,
{
"comment" : "2nd module\r\n" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681902852" ,
"uuid" : "fab51584-fda0-4be9-88e2-d301c21dacd8" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "fab51584-fda0-4be9-88e2-d301c21dacd8" ,
"referenced_uuid" : "4e8ebc97-432e-48f6-af54-e6f1f4589a0d" ,
"relationship_type" : "followed-by" ,
"timestamp" : "1681902852" ,
"uuid" : "78478ab8-e9d5-4c16-9291-c7651dd46296"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681894650" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "3de0eeae-a046-4467-9f2d-7701a4f774eb" ,
"value" : "e418d37fdcf4c288884bfe744b416cbdb0243a9e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681894650" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "99b266dd-f6df-4ba7-a601-5ff4c9210ad0" ,
"value" : "abc87df854f31725dd1d7231f6f07354"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681894650" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "9b395459-acf6-443a-8c6d-181d78501a70" ,
"value" : "efeb7d9d0fabe464a32c4e33fe756d6ef7a9b369c0f1462b3dd573b6b667488e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681894650" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "b4d94f8e-718b-4522-a059-1c9796cabb04" ,
"value" : "msword.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681894650" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "12721c3c-55bb-4cd1-b1ed-512f6635b983" ,
"value" : "53000"
}
]
} ,
{
"comment" : "3rd module" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681902873" ,
"uuid" : "4e8ebc97-432e-48f6-af54-e6f1f4589a0d" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "4e8ebc97-432e-48f6-af54-e6f1f4589a0d" ,
"referenced_uuid" : "a6b876c3-c517-48a4-9b4e-0ae68492089a" ,
"relationship_type" : "injected-into" ,
"timestamp" : "1681895258" ,
"uuid" : "df621e8c-a1f8-4563-ae58-5056d8721bc8"
} ,
{
"comment" : "" ,
"object_uuid" : "4e8ebc97-432e-48f6-af54-e6f1f4589a0d" ,
"referenced_uuid" : "b3ddd480-33ba-462a-a783-98bc0315ba43" ,
"relationship_type" : "injected-into" ,
"timestamp" : "1681895268" ,
"uuid" : "69f1e492-92be-4ddb-9065-5875c300fb64"
} ,
{
"comment" : "" ,
"object_uuid" : "4e8ebc97-432e-48f6-af54-e6f1f4589a0d" ,
"referenced_uuid" : "6f954c43-b864-43ad-8579-5eda4026a3b7" ,
"relationship_type" : "injected-into" ,
"timestamp" : "1681895296" ,
"uuid" : "bdea8655-236e-4d3f-be72-bccaaba00945"
} ,
{
"comment" : "" ,
"object_uuid" : "4e8ebc97-432e-48f6-af54-e6f1f4589a0d" ,
"referenced_uuid" : "ad1e8e48-20db-488e-95fd-bb75b6f96293" ,
"relationship_type" : "injected-into" ,
"timestamp" : "1681895310" ,
"uuid" : "ed112259-cb70-47ce-8199-0b25042bb40a"
} ,
{
"comment" : "" ,
"object_uuid" : "4e8ebc97-432e-48f6-af54-e6f1f4589a0d" ,
"referenced_uuid" : "77bba20a-f103-402c-9fd6-40fd2641f7f9" ,
"relationship_type" : "injected-into" ,
"timestamp" : "1681895335" ,
"uuid" : "00fa2c4d-9637-4ba5-9078-25868ba303e3"
} ,
{
"comment" : "" ,
"object_uuid" : "4e8ebc97-432e-48f6-af54-e6f1f4589a0d" ,
"referenced_uuid" : "ca7257d8-9bdc-459e-9f7f-5cdeecbd549d" ,
"relationship_type" : "injected-into" ,
"timestamp" : "1681895343" ,
"uuid" : "fc13195d-b616-4436-9696-a39d01b360ea"
} ,
{
"comment" : "" ,
"object_uuid" : "4e8ebc97-432e-48f6-af54-e6f1f4589a0d" ,
"referenced_uuid" : "09833510-9b3b-4e7f-974a-423e25b96e5b" ,
"relationship_type" : "followed-by" ,
"timestamp" : "1681902873" ,
"uuid" : "8593c2b5-1b05-429a-ae76-b35b83597640"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681894839" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "9b9287f4-c070-483a-b72b-918375565821" ,
"value" : "6dff9a9f13300a5ce72a70d907ff7854599e990a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681894839" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "f7493629-d3d7-4c9e-be47-58454542f20c" ,
"value" : "2ffaa8cbc7f0d21d03d3dd897d974dba"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681894839" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "f52ccaf4-bbb5-435f-864b-9a1b48bdae3f" ,
"value" : "cfa65036aff012d7478694ea733e3e882cf8e18f336af5fba3ed2ef29160d45b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681894839" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "0833e9ca-92e9-455f-ac43-9dcfe1d94220" ,
"value" : "envsrv.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681894839" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "d5f94a8e-0cdc-47aa-8829-2bba3fe69a41" ,
"value" : "56000"
}
]
} ,
{
"comment" : "4 module (shellcode stager)" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681894913" ,
"uuid" : "09833510-9b3b-4e7f-974a-423e25b96e5b" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681894913" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "338c8740-dbf4-4315-b0f9-6f0e6be71fcb" ,
"value" : "a677b6aa958fe02cac0730d36e8123648e02884f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681894913" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "20579f5c-1163-4ce7-a897-f405ee8a279b" ,
"value" : "5b6d8a474c556fe327004ed8a33edcdb"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681894913" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "995ba181-aa8f-4894-9939-b4e41f4b19d8" ,
"value" : "86edfd6c7a2fab8c50a372494e3d5b08c032cca754396f6e288d5d4c5738cb4c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681894913" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "77d38de7-27dd-4d64-85ea-cc70d7a6ceea" ,
"value" : "mschost.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681894913" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "2a734e66-beec-4d1c-9d86-6f6dce879364" ,
"value" : "391000"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a system process." ,
"meta-category" : "misc" ,
"name" : "process" ,
"template_uuid" : "02aeef94-ac23-455c-addb-731757ceafb5" ,
"template_version" : "10" ,
"timestamp" : "1681894972" ,
"uuid" : "a6b876c3-c517-48a4-9b4e-0ae68492089a" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "name" ,
"timestamp" : "1681894972" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "074efb8b-4300-44e1-b81b-85c33a3f61f8" ,
"value" : "RunTimeBroker.exe"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a system process." ,
"meta-category" : "misc" ,
"name" : "process" ,
"template_uuid" : "02aeef94-ac23-455c-addb-731757ceafb5" ,
"template_version" : "10" ,
"timestamp" : "1681895005" ,
"uuid" : "b3ddd480-33ba-462a-a783-98bc0315ba43" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "name" ,
"timestamp" : "1681895005" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "68894fb2-fa01-453b-9af5-015195c38906" ,
"value" : "TaskHostW.exe"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a system process." ,
"meta-category" : "misc" ,
"name" : "process" ,
"template_uuid" : "02aeef94-ac23-455c-addb-731757ceafb5" ,
"template_version" : "10" ,
"timestamp" : "1681895042" ,
"uuid" : "6f954c43-b864-43ad-8579-5eda4026a3b7" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "name" ,
"timestamp" : "1681895042" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8ea48407-6a1b-4233-a836-3d8c6783a85d" ,
"value" : "Svchost.exe"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a system process." ,
"meta-category" : "misc" ,
"name" : "process" ,
"template_uuid" : "02aeef94-ac23-455c-addb-731757ceafb5" ,
"template_version" : "10" ,
"timestamp" : "1681895104" ,
"uuid" : "ad1e8e48-20db-488e-95fd-bb75b6f96293" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "name" ,
"timestamp" : "1681895104" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "6dccd3a5-bbd3-4d7a-9feb-5938f484bff7" ,
"value" : "IpfHelper.exe"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a system process." ,
"meta-category" : "misc" ,
"name" : "process" ,
"template_uuid" : "02aeef94-ac23-455c-addb-731757ceafb5" ,
"template_version" : "10" ,
"timestamp" : "1681895119" ,
"uuid" : "77bba20a-f103-402c-9fd6-40fd2641f7f9" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "name" ,
"timestamp" : "1681895119" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8ac9b619-8143-4553-9793-2728db1d3e9a" ,
"value" : "SecurityHealthService.exe"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a system process." ,
"meta-category" : "misc" ,
"name" : "process" ,
"template_uuid" : "02aeef94-ac23-455c-addb-731757ceafb5" ,
"template_version" : "10" ,
"timestamp" : "1681895145" ,
"uuid" : "ca7257d8-9bdc-459e-9f7f-5cdeecbd549d" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "name" ,
"timestamp" : "1681895145" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b30ddce2-82a8-46a9-838c-a019c2549d00" ,
"value" : "ApplicationFrameHost.exe"
}
]
}
]
}
}
