{ "type": "bundle", "id": "bundle--57a8a2e8-6054-46ef-bab9-418e950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-28T18:22:09.000Z", "modified": "2017-04-28T18:22:09.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57a8a2e8-6054-46ef-bab9-418e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-28T18:22:09.000Z", "modified": "2017-04-28T18:22:09.000Z", "name": "OSINT - ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms", "published": "2017-04-28T20:01:48Z", "object_refs": [ "x-misp-attribute--57a8a31b-1ab4-445e-8ffc-42ed950d210f", "indicator--57a8a37c-d830-44db-8b0d-440f950d210f", "indicator--57a8a37c-43f0-47ef-af72-45e4950d210f", "indicator--57a8a37c-5cc8-44ea-bdab-4fbe950d210f", "indicator--57a8a37c-a654-4f67-ac1a-4b92950d210f", "indicator--57a8a37c-ef9c-4184-a106-4d7c950d210f", "indicator--57a8a37d-3eec-42d3-9d19-487a950d210f", "indicator--57a8a37d-3b68-48c3-8ced-439d950d210f", "indicator--57a8a37d-b9c4-441f-b570-413a950d210f", "indicator--57a8a37d-75a8-49d3-b70d-4e78950d210f", "indicator--57a8a37d-d8d0-42d1-8d8c-4d5d950d210f", "indicator--57a8a37e-8a58-4d43-a601-4fd8950d210f", "x-misp-attribute--57a8a3d4-80cc-4315-8f13-420f950d210f", "x-misp-attribute--57a8a3fc-93c4-4177-886f-4144950d210f", "observed-data--57a8a451-289c-4a68-8104-4713950d210f", "file--57a8a451-289c-4a68-8104-4713950d210f", "observed-data--57a8a452-fb14-454e-8ade-4a7f950d210f", "file--57a8a452-fb14-454e-8ade-4a7f950d210f", "observed-data--57a8a452-7e70-44ee-b281-49f7950d210f", "file--57a8a452-7e70-44ee-b281-49f7950d210f", "observed-data--57a8a452-5ecc-482c-b94d-4076950d210f", "file--57a8a452-5ecc-482c-b94d-4076950d210f", "observed-data--57a8a453-493c-41b5-93ad-4ce8950d210f", "file--57a8a453-493c-41b5-93ad-4ce8950d210f", "observed-data--57a8a453-65a4-4378-9100-4003950d210f", "file--57a8a453-65a4-4378-9100-4003950d210f", "observed-data--57a8a454-0748-4119-a55c-4b1e950d210f", "file--57a8a454-0748-4119-a55c-4b1e950d210f", "observed-data--57a8a454-2c08-4de7-b772-4c03950d210f", "file--57a8a454-2c08-4de7-b772-4c03950d210f", "observed-data--57a8a455-0a60-41d8-9b5b-4c18950d210f", "file--57a8a455-0a60-41d8-9b5b-4c18950d210f", "observed-data--57a8a455-daa8-48e4-acd4-4f33950d210f", "file--57a8a455-daa8-48e4-acd4-4f33950d210f", "observed-data--57a8a456-dce0-47ac-afb1-4df3950d210f", "file--57a8a456-dce0-47ac-afb1-4df3950d210f", "observed-data--57a8a457-dea4-4230-bbca-429e950d210f", "file--57a8a457-dea4-4230-bbca-429e950d210f", "observed-data--57a8a458-5b48-4a30-80b2-4844950d210f", "file--57a8a458-5b48-4a30-80b2-4844950d210f", "observed-data--57a8a459-8638-4b90-a139-4cfd950d210f", "file--57a8a459-8638-4b90-a139-4cfd950d210f", "observed-data--57a8a45a-3ab8-4fdd-8857-4e53950d210f", "file--57a8a45a-3ab8-4fdd-8857-4e53950d210f", "observed-data--57a8a45a-1640-4725-971d-48aa950d210f", "file--57a8a45a-1640-4725-971d-48aa950d210f", "observed-data--57a8a45a-b300-44e0-9e42-4d90950d210f", "file--57a8a45a-b300-44e0-9e42-4d90950d210f", "observed-data--57a8a45b-9d50-4d22-895c-46c3950d210f", "file--57a8a45b-9d50-4d22-895c-46c3950d210f", "observed-data--57a8a45c-7734-4db5-a521-40f7950d210f", "file--57a8a45c-7734-4db5-a521-40f7950d210f", "observed-data--57a8a45d-97b8-4c36-8556-4fa1950d210f", "file--57a8a45d-97b8-4c36-8556-4fa1950d210f", "observed-data--57a8a45d-293c-4c08-a322-446b950d210f", "file--57a8a45d-293c-4c08-a322-446b950d210f", "observed-data--57a8a484-d0dc-49a1-bf21-49e5950d210f", "file--57a8a484-d0dc-49a1-bf21-49e5950d210f", "observed-data--57a8a485-8cac-45ba-bf23-4848950d210f", "file--57a8a485-8cac-45ba-bf23-4848950d210f", "observed-data--57a8a485-9c5c-4f61-bb88-4f03950d210f", "file--57a8a485-9c5c-4f61-bb88-4f03950d210f", "observed-data--57a8a486-64d8-4b38-b3c5-4be2950d210f", "file--57a8a486-64d8-4b38-b3c5-4be2950d210f", "observed-data--57a8a486-4e48-4a24-b359-45ba950d210f", "file--57a8a486-4e48-4a24-b359-45ba950d210f", "observed-data--57a8a487-5f98-4495-90e0-4899950d210f", "file--57a8a487-5f98-4495-90e0-4899950d210f", "observed-data--57a8a488-cfe8-44df-a10c-4dc2950d210f", "file--57a8a488-cfe8-44df-a10c-4dc2950d210f", "observed-data--57a8a488-49b4-465c-9d07-457e950d210f", "file--57a8a488-49b4-465c-9d07-457e950d210f", "observed-data--57a8a488-40fc-482f-92c4-40a6950d210f", "file--57a8a488-40fc-482f-92c4-40a6950d210f", "observed-data--57a8a489-4918-4a19-a1b4-4e73950d210f", "file--57a8a489-4918-4a19-a1b4-4e73950d210f", "observed-data--57a8a48a-ac34-4aeb-8d74-410c950d210f", "file--57a8a48a-ac34-4aeb-8d74-410c950d210f", "observed-data--57a8a48a-085c-4c5d-97ad-4c28950d210f", "file--57a8a48a-085c-4c5d-97ad-4c28950d210f", "observed-data--57a8a48b-0e94-48d8-a006-4316950d210f", "file--57a8a48b-0e94-48d8-a006-4316950d210f", "observed-data--57a8a48c-8b98-40cb-993d-4537950d210f", "file--57a8a48c-8b98-40cb-993d-4537950d210f", "observed-data--57a8a48c-8ba8-4ef5-aebf-45e4950d210f", "file--57a8a48c-8ba8-4ef5-aebf-45e4950d210f", "observed-data--57a8a48d-5014-48e4-aaa8-4235950d210f", "file--57a8a48d-5014-48e4-aaa8-4235950d210f", "observed-data--57a8a48e-1c34-441d-b223-4f9d950d210f", "file--57a8a48e-1c34-441d-b223-4f9d950d210f", "observed-data--57a8a48f-3a70-4466-bd38-4fc8950d210f", "file--57a8a48f-3a70-4466-bd38-4fc8950d210f", "observed-data--57a8a490-9074-47bc-8296-4832950d210f", "file--57a8a490-9074-47bc-8296-4832950d210f", "observed-data--57a8a491-39dc-4243-98c3-499d950d210f", "file--57a8a491-39dc-4243-98c3-499d950d210f", "observed-data--57a8a491-8fe8-41e2-85e5-4f47950d210f", "file--57a8a491-8fe8-41e2-85e5-4f47950d210f", "observed-data--57a8a492-eb60-4411-8dd2-40dd950d210f", "file--57a8a492-eb60-4411-8dd2-40dd950d210f", "observed-data--57a8a493-aaf0-4222-a1e8-4efa950d210f", "file--57a8a493-aaf0-4222-a1e8-4efa950d210f", "observed-data--57a8a493-1c64-46fc-87d0-4fb4950d210f", "file--57a8a493-1c64-46fc-87d0-4fb4950d210f", "observed-data--57a8a494-fb04-49b7-adf8-48a4950d210f", "file--57a8a494-fb04-49b7-adf8-48a4950d210f", "observed-data--57a8a494-0c5c-40c3-bdc7-4e50950d210f", "file--57a8a494-0c5c-40c3-bdc7-4e50950d210f", "observed-data--57a8a495-bdf4-42e1-96fe-4248950d210f", "file--57a8a495-bdf4-42e1-96fe-4248950d210f", "observed-data--57a8a495-4708-4515-a23f-4a82950d210f", "file--57a8a495-4708-4515-a23f-4a82950d210f", "observed-data--57a8a496-8028-4a88-b531-4b5a950d210f", "file--57a8a496-8028-4a88-b531-4b5a950d210f", "observed-data--57a8a496-63ac-44ed-a6b0-4e17950d210f", "file--57a8a496-63ac-44ed-a6b0-4e17950d210f", "observed-data--57a8a497-7818-4541-a7ee-4740950d210f", "file--57a8a497-7818-4541-a7ee-4740950d210f", "observed-data--57a8a498-6830-4664-b527-4876950d210f", "file--57a8a498-6830-4664-b527-4876950d210f", "observed-data--57a8a498-5890-46b1-a70c-41c0950d210f", "file--57a8a498-5890-46b1-a70c-41c0950d210f", "observed-data--57a8a499-cf24-45ac-8a5d-4a17950d210f", "file--57a8a499-cf24-45ac-8a5d-4a17950d210f", "observed-data--57a8a499-b6b4-45b9-8c83-49e6950d210f", "file--57a8a499-b6b4-45b9-8c83-49e6950d210f", "observed-data--57a8a49a-384c-46ab-b757-4599950d210f", "file--57a8a49a-384c-46ab-b757-4599950d210f", "observed-data--57a8a49b-08e4-483b-afda-48af950d210f", "file--57a8a49b-08e4-483b-afda-48af950d210f", "observed-data--57a8a49c-b134-4f62-b7db-47f4950d210f", "file--57a8a49c-b134-4f62-b7db-47f4950d210f", "observed-data--57a8a49c-2e48-4b36-9a62-4615950d210f", "file--57a8a49c-2e48-4b36-9a62-4615950d210f", "observed-data--57a8a49d-7f90-4440-bd3c-48c0950d210f", "file--57a8a49d-7f90-4440-bd3c-48c0950d210f", "observed-data--57a8a49e-4354-4414-8de1-4e0b950d210f", "file--57a8a49e-4354-4414-8de1-4e0b950d210f", "observed-data--57a8a49e-c33c-459c-b702-418b950d210f", "file--57a8a49e-c33c-459c-b702-418b950d210f", "observed-data--57a8a49f-7890-4060-ade1-4a85950d210f", "file--57a8a49f-7890-4060-ade1-4a85950d210f", "observed-data--57a8a4a0-377c-4402-b4c4-4882950d210f", "file--57a8a4a0-377c-4402-b4c4-4882950d210f", "observed-data--57a8a4a0-d0f8-490b-9b4a-4d1e950d210f", "file--57a8a4a0-d0f8-490b-9b4a-4d1e950d210f", "observed-data--57a8a4c3-168c-46d3-adf8-4947950d210f", "file--57a8a4c3-168c-46d3-adf8-4947950d210f", "observed-data--57a8a4c4-9e00-4714-bc39-46cb950d210f", "file--57a8a4c4-9e00-4714-bc39-46cb950d210f", "observed-data--57a8a4c4-f6c0-4892-926d-43c3950d210f", "file--57a8a4c4-f6c0-4892-926d-43c3950d210f", "observed-data--57a8a4c4-f1a4-49fb-bd2a-4c60950d210f", "file--57a8a4c4-f1a4-49fb-bd2a-4c60950d210f", "observed-data--57a8a4c5-eefc-4946-ad46-4eda950d210f", "file--57a8a4c5-eefc-4946-ad46-4eda950d210f", "observed-data--57a8a4c5-ebd8-46f4-86c3-440e950d210f", "file--57a8a4c5-ebd8-46f4-86c3-440e950d210f", "observed-data--57a8a4c6-3534-48cb-af8b-479a950d210f", "file--57a8a4c6-3534-48cb-af8b-479a950d210f", "observed-data--57a8a4c6-f110-46a9-88bc-4755950d210f", "file--57a8a4c6-f110-46a9-88bc-4755950d210f", "observed-data--57a8a4c7-ce98-4274-ac8c-4c15950d210f", "file--57a8a4c7-ce98-4274-ac8c-4c15950d210f", "observed-data--57a8a4c7-927c-4e93-b286-4672950d210f", "file--57a8a4c7-927c-4e93-b286-4672950d210f", "observed-data--57a8a4c8-9bdc-4e78-81c4-4bed950d210f", "file--57a8a4c8-9bdc-4e78-81c4-4bed950d210f", "observed-data--57a8a4c8-4098-45f3-8f61-4e49950d210f", "file--57a8a4c8-4098-45f3-8f61-4e49950d210f", "observed-data--57a8a4c8-0648-4cef-ba13-4e12950d210f", "file--57a8a4c8-0648-4cef-ba13-4e12950d210f", "observed-data--57a8a4c9-126c-43da-b2d1-4eaa950d210f", "file--57a8a4c9-126c-43da-b2d1-4eaa950d210f", "observed-data--57a8a4c9-c724-4296-a7e1-4f17950d210f", "file--57a8a4c9-c724-4296-a7e1-4f17950d210f", "observed-data--57a8a4ca-b860-4371-9279-4a1d950d210f", "file--57a8a4ca-b860-4371-9279-4a1d950d210f", "observed-data--57a8a4cb-b800-4c34-a99e-43d0950d210f", "file--57a8a4cb-b800-4c34-a99e-43d0950d210f", "observed-data--57a8a4cb-b6c0-43d5-92b4-4f45950d210f", "file--57a8a4cb-b6c0-43d5-92b4-4f45950d210f", "indicator--57a8a4ee-9784-401d-8c39-4aa2950d210f", "indicator--57a8a4ee-0900-4a13-8e90-48b6950d210f", "indicator--57a8a4ef-9730-4c58-9bc8-4060950d210f", "indicator--57a8a50c-e9e0-45c4-ae0a-429d950d210f", "indicator--57a8a50c-8ad4-4ae5-a883-4f34950d210f", "indicator--57a8a50c-c138-441b-a39d-4bda950d210f", "indicator--57a8a50d-5f30-4aa9-9e0e-40a2950d210f", "indicator--57a8a50d-e268-4121-8751-4105950d210f", "indicator--57a8a50d-579c-417b-8e7e-4261950d210f", "indicator--57a8a50d-d800-4352-8026-4654950d210f", "indicator--57a8a50d-7b5c-4c34-b329-4455950d210f", "indicator--57a8a52b-0aa0-4cb4-8d4f-46d0950d210f", "indicator--57a8a52b-4324-4abf-8b2e-40a4950d210f", "indicator--57a8a52b-1d1c-4aa5-be23-4c05950d210f", "indicator--57a8a52b-a2d0-4c63-8ca6-4cf7950d210f", "indicator--57a8a52b-fb90-4710-8d3b-4176950d210f", "indicator--57a8a52c-271c-479c-b476-47b0950d210f", "indicator--57a8a52c-bf08-4f46-935f-427b950d210f", "indicator--57a8a566-a8a0-44eb-a50c-410b950d210f", "indicator--57a8a566-05c0-4081-9d34-427d950d210f", "indicator--57a8a566-5750-4112-ba32-4117950d210f", "indicator--57a8a582-2fb4-4601-886b-4ce3950d210f", "indicator--57a8a582-4128-4dc1-852e-4afb950d210f", "indicator--57a8a583-9f28-4ac4-a229-45f1950d210f", "indicator--57a8a583-44b8-486f-84de-4ac6950d210f", "indicator--57a8a583-0e2c-49a8-a42b-4b9e950d210f", "indicator--57a8a583-522c-4bea-a600-45f2950d210f", "indicator--57a8a5b4-4964-4d96-b178-464f950d210f", "indicator--57a8a5b4-7ef0-461d-ab19-498f950d210f", "indicator--57a8a5b4-8428-4e43-9d16-4d02950d210f", "indicator--57a8a5b4-84b8-4cc3-a65e-4a6b950d210f", "indicator--57a8a5b5-dbd4-4cc0-88d3-47fa950d210f", "indicator--57a8a5b5-7838-43bb-b368-4236950d210f", "indicator--57a8a5b5-bc5c-42bb-9e99-48a2950d210f", "indicator--57a8a5b5-ff18-4804-89ba-4408950d210f", "indicator--57a8a5b6-8b00-40f5-873c-4a93950d210f", "indicator--57a8a5e5-6e74-46f4-b589-4f78950d210f", "indicator--57a8a5e5-9c80-4be0-b7ba-450e950d210f", "indicator--57a8a5e5-88b8-479f-af85-42d9950d210f", "indicator--57a8a5e6-0f4c-49f7-8d3b-4d21950d210f", "indicator--57a8a5e6-cbcc-4dcb-b545-4eae950d210f", "indicator--57a8a5e6-ce00-4765-810a-4c45950d210f", "indicator--57a8a5e6-b174-4bec-a027-4a07950d210f", "indicator--57a8a5e6-ab10-4907-a487-441d950d210f", "indicator--57a8a5e7-1e14-4154-b889-44e8950d210f", "indicator--57a8a5e7-1104-4dfe-94f6-43a1950d210f", "indicator--57a8a5e7-79d0-4cce-ae6b-460c950d210f", "indicator--57a8a5e7-d4f0-4273-9749-4887950d210f", "indicator--57a8a5e8-d468-4c9f-96e2-4c8e950d210f", "indicator--57a8a5e8-460c-46d1-a8ec-4ec6950d210f", "indicator--57a8a5e8-ede0-44f3-981e-4d03950d210f", "indicator--57a8a5e8-e760-4363-8716-4307950d210f", "indicator--57a8a5e8-0af4-4382-9fc9-4603950d210f", "indicator--57a8a5e9-fdc8-4454-acd1-41c8950d210f", "indicator--57a8a5e9-51bc-451d-b486-49b7950d210f", "indicator--57a8a5f7-2804-4c51-903e-4165950d210f", "indicator--57a8a60c-ed58-4a51-8d2e-49f2950d210f", "indicator--57a8a60d-5cc8-41c5-81b2-4187950d210f", "indicator--57a8a60d-eb4c-402a-89e6-4bf4950d210f", "indicator--57a8a60d-a574-4cba-8963-4429950d210f", "indicator--57a8a60e-1074-4e8e-9638-4307950d210f", "indicator--57a8a60e-887c-4551-bb03-475f950d210f", "indicator--57a8a60f-a2e0-44e1-a9ea-467e950d210f", "indicator--57a8a60f-53cc-41cc-9cf4-4ab9950d210f", "indicator--57a8a610-3670-4531-8cdf-4e4a950d210f", "indicator--57a8a610-d524-4b34-9395-4ee5950d210f", "indicator--57a8a611-fa80-4e92-85d5-459e950d210f", "indicator--57a8a611-cf14-43e6-8da1-408a950d210f", "indicator--57a8a612-00b8-4efa-bd7a-4ce2950d210f", "indicator--57a8a612-56f0-4871-8006-43c2950d210f", "indicator--57a8a62a-6054-489b-b047-41fe950d210f", "indicator--57a8a683-34ec-4347-b378-444c02de0b81", "indicator--57a8a683-f430-48c2-978c-47ca02de0b81", "observed-data--57a8a684-2248-45f8-92cf-467802de0b81", "url--57a8a684-2248-45f8-92cf-467802de0b81", "indicator--57a8a684-c348-4d4a-9067-4a6602de0b81", "indicator--57a8a684-d100-42bd-9280-48ea02de0b81", "observed-data--57a8a685-4d20-45fe-ae77-469202de0b81", "url--57a8a685-4d20-45fe-ae77-469202de0b81", "indicator--57a8a685-acec-426a-9347-4fae02de0b81", "indicator--57a8a685-62ac-425b-a6b6-48a402de0b81", "observed-data--57a8a686-ff9c-49cd-ba0f-4c0202de0b81", "url--57a8a686-ff9c-49cd-ba0f-4c0202de0b81", "indicator--57a8a686-2d80-4f84-a87d-437802de0b81", "indicator--57a8a686-1b0c-4c9a-b4d2-47ab02de0b81", "observed-data--57a8a687-c41c-4e9a-be4d-40da02de0b81", "url--57a8a687-c41c-4e9a-be4d-40da02de0b81", "indicator--57a8a687-afb0-4346-9e09-453802de0b81", "indicator--57a8a687-1704-4209-afa1-441302de0b81", "observed-data--57a8a687-eb9c-46c4-ab81-494902de0b81", "url--57a8a687-eb9c-46c4-ab81-494902de0b81", "indicator--57a8a687-e038-4a22-89d3-41b202de0b81", "indicator--57a8a688-6df0-4a01-a58f-45d402de0b81", "observed-data--57a8a688-e6c8-44aa-b015-489502de0b81", "url--57a8a688-e6c8-44aa-b015-489502de0b81", "indicator--57a8a688-e528-41ab-8076-4ca602de0b81", "indicator--57a8a688-e504-423f-b5ce-4cc902de0b81", "observed-data--57a8a688-b510-4581-a81f-459402de0b81", "url--57a8a688-b510-4581-a81f-459402de0b81", "indicator--57a8a689-63e8-495c-832a-423702de0b81", "indicator--57a8a689-dde4-4102-9968-455d02de0b81", "observed-data--57a8a689-beb4-4d52-a184-4d9b02de0b81", "url--57a8a689-beb4-4d52-a184-4d9b02de0b81", "indicator--57a8a689-1c2c-4faf-bb9e-424202de0b81", "indicator--57a8a689-0504-4019-b091-453002de0b81", "observed-data--57a8a68a-2e50-4611-bfed-466002de0b81", "url--57a8a68a-2e50-4611-bfed-466002de0b81", "indicator--57a8a68a-f2d4-453e-907e-479c02de0b81", "indicator--57a8a68a-dfc0-417f-a182-405d02de0b81", "observed-data--57a8a68a-42e4-4460-9b0c-469e02de0b81", "url--57a8a68a-42e4-4460-9b0c-469e02de0b81", "observed-data--57a8a5e3-9984-4f4e-97f8-4920950d210f", "url--57a8a5e3-9984-4f4e-97f8-4920950d210f", "observed-data--57a8a5e4-a59c-4970-bdb3-46d0950d210f", "url--57a8a5e4-a59c-4970-bdb3-46d0950d210f", "observed-data--57a8a5e4-62f4-4031-9887-4710950d210f", "url--57a8a5e4-62f4-4031-9887-4710950d210f", "observed-data--57a8a5e4-1260-4e62-b71a-41ea950d210f", "url--57a8a5e4-1260-4e62-b71a-41ea950d210f", "observed-data--57a8a5e4-51f8-4491-82ae-4edb950d210f", "url--57a8a5e4-51f8-4491-82ae-4edb950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57a8a31b-1ab4-445e-8ffc-42ed950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:19:55.000Z", "modified": "2016-08-08T15:19:55.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Over the last few years, the number of \u00e2\u20ac\u0153APT-related\u00e2\u20ac\u009d incidents described in the media has grown significantly. For many of these, though, the designation \u00e2\u20ac\u0153APT\u00e2\u20ac\u009d, indicating an \u00e2\u20ac\u0153Advanced Persistent Threat\u00e2\u20ac\u009d, is usually an exaggeration. With some notable exceptions, few of the threat actors usually described in the media are advanced. These exceptions, which in our opinion represent the pinnacle of cyberespionage tools: the truly \u00e2\u20ac\u0153advanced\u00e2\u20ac\u009d threat actors out there, are Equation, Regin, Duqu or Careto. Another such an exceptional espionage platform is \u00e2\u20ac\u0153ProjectSauron\u00e2\u20ac\u009d, also known as \u00e2\u20ac\u0153Strider\u00e2\u20ac\u009d.\r\n\r\nWhat differentiates a truly advanced threat actor from a wannabe APT? Here are a few features that characterize the \u00e2\u20ac\u02dctop\u00e2\u20ac\u2122 cyberespionage groups:\r\n\r\n The use of zero day exploits\r\n Unknown, never identified infection vectors\r\n Have compromised multiple government organizations in several countries\r\n Have successfully stolen information for many years before being discovered\r\n Have the ability to steal information from air gapped networks\r\n Support multiple covert exfiltration channels on various protocols\r\n Malware modules which can exist only in memory without touching the disk\r\n Unusual persistence techniques which sometime use undocumented OS features\r\n\r\n\u00e2\u20ac\u0153ProjectSauron\u00e2\u20ac\u009d easily covers many of these points." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a37c-d830-44db-8b0d-440f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:21:32.000Z", "modified": "2016-08-08T15:21:32.000Z", "description": "C2", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.78.64.121']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:21:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a37c-43f0-47ef-af72-45e4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:21:32.000Z", "modified": "2016-08-08T15:21:32.000Z", "description": "C2", "pattern": "[domain-name:value = 'rapidcomments.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:21:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a37c-5cc8-44ea-bdab-4fbe950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:21:32.000Z", "modified": "2016-08-08T15:21:32.000Z", "description": "C2", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '81.4.108.168']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:21:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a37c-a654-4f67-ac1a-4b92950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:21:32.000Z", "modified": "2016-08-08T15:21:32.000Z", "description": "C2", "pattern": "[domain-name:value = 'bikessport.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:21:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a37c-ef9c-4184-a106-4d7c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:21:32.000Z", "modified": "2016-08-08T15:21:32.000Z", "description": "C2", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.211.40.117']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:21:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a37d-3eec-42d3-9d19-487a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:21:33.000Z", "modified": "2016-08-08T15:21:33.000Z", "description": "C2", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.9.242.188']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:21:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a37d-3b68-48c3-8ced-439d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:21:33.000Z", "modified": "2016-08-08T15:21:33.000Z", "description": "C2", "pattern": "[domain-name:value = 'www.myhomemusic.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:21:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a37d-b9c4-441f-b570-413a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:21:33.000Z", "modified": "2016-08-08T15:21:33.000Z", "description": "C2", "pattern": "[domain-name:value = 'flowershop22.110mb.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:21:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a37d-75a8-49d3-b70d-4e78950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:21:33.000Z", "modified": "2016-08-08T15:21:33.000Z", "description": "C2", "pattern": "[domain-name:value = 'wildhorses.awardspace.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:21:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a37d-d8d0-42d1-8d8c-4d5d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:21:33.000Z", "modified": "2016-08-08T15:21:33.000Z", "description": "C2", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.160.176.157']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:21:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a37e-8a58-4d43-a601-4fd8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:21:34.000Z", "modified": "2016-08-08T15:21:34.000Z", "description": "C2", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.196.206.166']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:21:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57a8a3d4-80cc-4315-8f13-420f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:23:10.000Z", "modified": "2016-08-08T15:23:10.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Network activity", "x_misp_comment": "Mask/regexp", "x_misp_type": "text", "x_misp_value": "sx4-ws42*.yi[.]org \r\nuz%d.weedns[.]com\r\nwe%d.q.tcow[.]eu" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57a8a3fc-93c4-4177-886f-4144950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:23:40.000Z", "modified": "2016-08-08T15:23:40.000Z", "labels": [ "misp:type=\"pattern-in-memory\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "pattern-in-memory", "x_misp_value": "EFEB0A9C6ABA4CF5958F41DB6A31929776C643DEDC65CC9B67AB8B0066FF2492" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a451-289c-4a68-8104-4713950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:05.000Z", "modified": "2016-08-08T15:25:05.000Z", "first_observed": "2016-08-08T15:25:05Z", "last_observed": "2016-08-08T15:25:05Z", "number_observed": 1, "object_refs": [ "file--57a8a451-289c-4a68-8104-4713950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a451-289c-4a68-8104-4713950d210f", "name": "%System%\\rpchlpr.exe" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a452-fb14-454e-8ade-4a7f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:06.000Z", "modified": "2016-08-08T15:25:06.000Z", "first_observed": "2016-08-08T15:25:06Z", "last_observed": "2016-08-08T15:25:06Z", "number_observed": 1, "object_refs": [ "file--57a8a452-fb14-454e-8ade-4a7f950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a452-fb14-454e-8ade-4a7f950d210f", "name": "%System%\\symnet32.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a452-7e70-44ee-b281-49f7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:06.000Z", "modified": "2016-08-08T15:25:06.000Z", "first_observed": "2016-08-08T15:25:06Z", "last_observed": "2016-08-08T15:25:06Z", "number_observed": 1, "object_refs": [ "file--57a8a452-7e70-44ee-b281-49f7950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a452-7e70-44ee-b281-49f7950d210f", "name": "%System%\\rdiskman.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a452-5ecc-482c-b94d-4076950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:06.000Z", "modified": "2016-08-08T15:25:06.000Z", "first_observed": "2016-08-08T15:25:06Z", "last_observed": "2016-08-08T15:25:06Z", "number_observed": 1, "object_refs": [ "file--57a8a452-5ecc-482c-b94d-4076950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a452-5ecc-482c-b94d-4076950d210f", "name": "%System%\\rseceng.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a453-493c-41b5-93ad-4ce8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:07.000Z", "modified": "2016-08-08T15:25:07.000Z", "first_observed": "2016-08-08T15:25:07Z", "last_observed": "2016-08-08T15:25:07Z", "number_observed": 1, "object_refs": [ "file--57a8a453-493c-41b5-93ad-4ce8950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a453-493c-41b5-93ad-4ce8950d210f", "name": "%System%\\msprtssp.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a453-65a4-4378-9100-4003950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:07.000Z", "modified": "2016-08-08T15:25:07.000Z", "first_observed": "2016-08-08T15:25:07Z", "last_observed": "2016-08-08T15:25:07Z", "number_observed": 1, "object_refs": [ "file--57a8a453-65a4-4378-9100-4003950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a453-65a4-4378-9100-4003950d210f", "name": "%System%\\ncompc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a454-0748-4119-a55c-4b1e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:08.000Z", "modified": "2016-08-08T15:25:08.000Z", "first_observed": "2016-08-08T15:25:08Z", "last_observed": "2016-08-08T15:25:08Z", "number_observed": 1, "object_refs": [ "file--57a8a454-0748-4119-a55c-4b1e950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a454-0748-4119-a55c-4b1e950d210f", "name": "%System%\\rdeskm.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a454-2c08-4de7-b772-4c03950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:08.000Z", "modified": "2016-08-08T15:25:08.000Z", "first_observed": "2016-08-08T15:25:08Z", "last_observed": "2016-08-08T15:25:08Z", "number_observed": 1, "object_refs": [ "file--57a8a454-2c08-4de7-b772-4c03950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a454-2c08-4de7-b772-4c03950d210f", "name": "%System%\\dpsf.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a455-0a60-41d8-9b5b-4c18950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:09.000Z", "modified": "2016-08-08T15:25:09.000Z", "first_observed": "2016-08-08T15:25:09Z", "last_observed": "2016-08-08T15:25:09Z", "number_observed": 1, "object_refs": [ "file--57a8a455-0a60-41d8-9b5b-4c18950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a455-0a60-41d8-9b5b-4c18950d210f", "name": "%System%\\nsecf.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a455-daa8-48e4-acd4-4f33950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:09.000Z", "modified": "2016-08-08T15:25:09.000Z", "first_observed": "2016-08-08T15:25:09Z", "last_observed": "2016-08-08T15:25:09Z", "number_observed": 1, "object_refs": [ "file--57a8a455-daa8-48e4-acd4-4f33950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a455-daa8-48e4-acd4-4f33950d210f", "name": "%System%\\rdesk.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a456-dce0-47ac-afb1-4df3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:10.000Z", "modified": "2016-08-08T15:25:10.000Z", "first_observed": "2016-08-08T15:25:10Z", "last_observed": "2016-08-08T15:25:10Z", "number_observed": 1, "object_refs": [ "file--57a8a456-dce0-47ac-afb1-4df3950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a456-dce0-47ac-afb1-4df3950d210f", "name": "%System%\\dpsloc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a457-dea4-4230-bbca-429e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:11.000Z", "modified": "2016-08-08T15:25:11.000Z", "first_observed": "2016-08-08T15:25:11Z", "last_observed": "2016-08-08T15:25:11Z", "number_observed": 1, "object_refs": [ "file--57a8a457-dea4-4230-bbca-429e950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a457-dea4-4230-bbca-429e950d210f", "name": "%System%\\ddeskm.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a458-5b48-4a30-80b2-4844950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:12.000Z", "modified": "2016-08-08T15:25:12.000Z", "first_observed": "2016-08-08T15:25:12Z", "last_observed": "2016-08-08T15:25:12Z", "number_observed": 1, "object_refs": [ "file--57a8a458-5b48-4a30-80b2-4844950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a458-5b48-4a30-80b2-4844950d210f", "name": "%System%\\rdisksup.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a459-8638-4b90-a139-4cfd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:13.000Z", "modified": "2016-08-08T15:25:13.000Z", "first_observed": "2016-08-08T15:25:13Z", "last_observed": "2016-08-08T15:25:13Z", "number_observed": 1, "object_refs": [ "file--57a8a459-8638-4b90-a139-4cfd950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a459-8638-4b90-a139-4cfd950d210f", "name": "%System%\\rcompf.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a45a-3ab8-4fdd-8857-4e53950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:14.000Z", "modified": "2016-08-08T15:25:14.000Z", "first_observed": "2016-08-08T15:25:14Z", "last_observed": "2016-08-08T15:25:14Z", "number_observed": 1, "object_refs": [ "file--57a8a45a-3ab8-4fdd-8857-4e53950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a45a-3ab8-4fdd-8857-4e53950d210f", "name": "%System%\\ncompsup.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a45a-1640-4725-971d-48aa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:14.000Z", "modified": "2016-08-08T15:25:14.000Z", "first_observed": "2016-08-08T15:25:14Z", "last_observed": "2016-08-08T15:25:14Z", "number_observed": 1, "object_refs": [ "file--57a8a45a-1640-4725-971d-48aa950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a45a-1640-4725-971d-48aa950d210f", "name": "%System%\\rdiskf.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a45a-b300-44e0-9e42-4d90950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:14.000Z", "modified": "2016-08-08T15:25:14.000Z", "first_observed": "2016-08-08T15:25:14Z", "last_observed": "2016-08-08T15:25:14Z", "number_observed": 1, "object_refs": [ "file--57a8a45a-b300-44e0-9e42-4d90950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a45a-b300-44e0-9e42-4d90950d210f", "name": "%System%\\iseceng.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a45b-9d50-4d22-895c-46c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:15.000Z", "modified": "2016-08-08T15:25:15.000Z", "first_observed": "2016-08-08T15:25:15Z", "last_observed": "2016-08-08T15:25:15Z", "number_observed": 1, "object_refs": [ "file--57a8a45b-9d50-4d22-895c-46c3950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a45b-9d50-4d22-895c-46c3950d210f", "name": "%System%\\msasspc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a45c-7734-4db5-a521-40f7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:16.000Z", "modified": "2016-08-08T15:25:16.000Z", "first_observed": "2016-08-08T15:25:16Z", "last_observed": "2016-08-08T15:25:16Z", "number_observed": 1, "object_refs": [ "file--57a8a45c-7734-4db5-a521-40f7950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a45c-7734-4db5-a521-40f7950d210f", "name": "%System%\\wpsloc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a45d-97b8-4c36-8556-4fa1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:17.000Z", "modified": "2016-08-08T15:25:17.000Z", "first_observed": "2016-08-08T15:25:17Z", "last_observed": "2016-08-08T15:25:17Z", "number_observed": 1, "object_refs": [ "file--57a8a45d-97b8-4c36-8556-4fa1950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a45d-97b8-4c36-8556-4fa1950d210f", "name": "%System%\\wpackpwf.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a45d-293c-4c08-a322-446b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:17.000Z", "modified": "2016-08-08T15:25:17.000Z", "first_observed": "2016-08-08T15:25:17Z", "last_observed": "2016-08-08T15:25:17Z", "number_observed": 1, "object_refs": [ "file--57a8a45d-293c-4c08-a322-446b950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a45d-293c-4c08-a322-446b950d210f", "name": "%System%\\rcnfm.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a484-d0dc-49a1-bf21-49e5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:56.000Z", "modified": "2016-08-08T15:25:56.000Z", "first_observed": "2016-08-08T15:25:56Z", "last_observed": "2016-08-08T15:25:56Z", "number_observed": 1, "object_refs": [ "file--57a8a484-d0dc-49a1-bf21-49e5950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a484-d0dc-49a1-bf21-49e5950d210f", "name": "%Temp%\\kavupdate.exe" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a485-8cac-45ba-bf23-4848950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:57.000Z", "modified": "2016-08-08T15:25:57.000Z", "first_observed": "2016-08-08T15:25:57Z", "last_observed": "2016-08-08T15:25:57Z", "number_observed": 1, "object_refs": [ "file--57a8a485-8cac-45ba-bf23-4848950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a485-8cac-45ba-bf23-4848950d210f", "name": "%Temp%\\kavupd.exe" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a485-9c5c-4f61-bb88-4f03950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:57.000Z", "modified": "2016-08-08T15:25:57.000Z", "first_observed": "2016-08-08T15:25:57Z", "last_observed": "2016-08-08T15:25:57Z", "number_observed": 1, "object_refs": [ "file--57a8a485-9c5c-4f61-bb88-4f03950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a485-9c5c-4f61-bb88-4f03950d210f", "name": "%Temp%\\klnupd.exe" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a486-64d8-4b38-b3c5-4be2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:58.000Z", "modified": "2016-08-08T15:25:58.000Z", "first_observed": "2016-08-08T15:25:58Z", "last_observed": "2016-08-08T15:25:58Z", "number_observed": 1, "object_refs": [ "file--57a8a486-64d8-4b38-b3c5-4be2950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a486-64d8-4b38-b3c5-4be2950d210f", "name": "%System%\\hptcpprnt.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a486-4e48-4a24-b359-45ba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:58.000Z", "modified": "2016-08-08T15:25:58.000Z", "first_observed": "2016-08-08T15:25:58Z", "last_observed": "2016-08-08T15:25:58Z", "number_observed": 1, "object_refs": [ "file--57a8a486-4e48-4a24-b359-45ba950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a486-4e48-4a24-b359-45ba950d210f", "name": "%System%\\rdeskf.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a487-5f98-4495-90e0-4899950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:25:59.000Z", "modified": "2016-08-08T15:25:59.000Z", "first_observed": "2016-08-08T15:25:59Z", "last_observed": "2016-08-08T15:25:59Z", "number_observed": 1, "object_refs": [ "file--57a8a487-5f98-4495-90e0-4899950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a487-5f98-4495-90e0-4899950d210f", "name": "%System%\\ncnfloc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a488-cfe8-44df-a10c-4dc2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:00.000Z", "modified": "2016-08-08T15:26:00.000Z", "first_observed": "2016-08-08T15:26:00Z", "last_observed": "2016-08-08T15:26:00Z", "number_observed": 1, "object_refs": [ "file--57a8a488-cfe8-44df-a10c-4dc2950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a488-cfe8-44df-a10c-4dc2950d210f", "name": "%System%\\msaosspc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a488-49b4-465c-9d07-457e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:00.000Z", "modified": "2016-08-08T15:26:00.000Z", "first_observed": "2016-08-08T15:26:00Z", "last_observed": "2016-08-08T15:26:00Z", "number_observed": 1, "object_refs": [ "file--57a8a488-49b4-465c-9d07-457e950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a488-49b4-465c-9d07-457e950d210f", "name": "%System%\\ndiskloc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a488-40fc-482f-92c4-40a6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:00.000Z", "modified": "2016-08-08T15:26:00.000Z", "first_observed": "2016-08-08T15:26:00Z", "last_observed": "2016-08-08T15:26:00Z", "number_observed": 1, "object_refs": [ "file--57a8a488-40fc-482f-92c4-40a6950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a488-40fc-482f-92c4-40a6950d210f", "name": "%System%\\mperfcl.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a489-4918-4a19-a1b4-4e73950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:01.000Z", "modified": "2016-08-08T15:26:01.000Z", "first_observed": "2016-08-08T15:26:01Z", "last_observed": "2016-08-08T15:26:01Z", "number_observed": 1, "object_refs": [ "file--57a8a489-4918-4a19-a1b4-4e73950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a489-4918-4a19-a1b4-4e73950d210f", "name": "%System%\\polsec.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a48a-ac34-4aeb-8d74-410c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:02.000Z", "modified": "2016-08-08T15:26:02.000Z", "first_observed": "2016-08-08T15:26:02Z", "last_observed": "2016-08-08T15:26:02Z", "number_observed": 1, "object_refs": [ "file--57a8a48a-ac34-4aeb-8d74-410c950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a48a-ac34-4aeb-8d74-410c950d210f", "name": "%System%\\sxsmgrkbd.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a48a-085c-4c5d-97ad-4c28950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:02.000Z", "modified": "2016-08-08T15:26:02.000Z", "first_observed": "2016-08-08T15:26:02Z", "last_observed": "2016-08-08T15:26:02Z", "number_observed": 1, "object_refs": [ "file--57a8a48a-085c-4c5d-97ad-4c28950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a48a-085c-4c5d-97ad-4c28950d210f", "name": "%System%\\cfgbaseprt.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a48b-0e94-48d8-a006-4316950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:03.000Z", "modified": "2016-08-08T15:26:03.000Z", "first_observed": "2016-08-08T15:26:03Z", "last_observed": "2016-08-08T15:26:03Z", "number_observed": 1, "object_refs": [ "file--57a8a48b-0e94-48d8-a006-4316950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a48b-0e94-48d8-a006-4316950d210f", "name": "%System%\\seccertapi.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a48c-8b98-40cb-993d-4537950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:04.000Z", "modified": "2016-08-08T15:26:04.000Z", "first_observed": "2016-08-08T15:26:04Z", "last_observed": "2016-08-08T15:26:04Z", "number_observed": 1, "object_refs": [ "file--57a8a48c-8b98-40cb-993d-4537950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a48c-8b98-40cb-993d-4537950d210f", "name": "%System%\\krbsec.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a48c-8ba8-4ef5-aebf-45e4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:04.000Z", "modified": "2016-08-08T15:26:04.000Z", "first_observed": "2016-08-08T15:26:04Z", "last_observed": "2016-08-08T15:26:04Z", "number_observed": 1, "object_refs": [ "file--57a8a48c-8ba8-4ef5-aebf-45e4950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a48c-8ba8-4ef5-aebf-45e4950d210f", "name": "%System%\\prnpapi.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a48d-5014-48e4-aaa8-4235950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:05.000Z", "modified": "2016-08-08T15:26:05.000Z", "first_observed": "2016-08-08T15:26:05Z", "last_observed": "2016-08-08T15:26:05Z", "number_observed": 1, "object_refs": [ "file--57a8a48d-5014-48e4-aaa8-4235950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a48d-5014-48e4-aaa8-4235950d210f", "name": "%System%\\ndisk.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a48e-1c34-441d-b223-4f9d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:06.000Z", "modified": "2016-08-08T15:26:06.000Z", "first_observed": "2016-08-08T15:26:06Z", "last_observed": "2016-08-08T15:26:06Z", "number_observed": 1, "object_refs": [ "file--57a8a48e-1c34-441d-b223-4f9d950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a48e-1c34-441d-b223-4f9d950d210f", "name": "%System%\\ndisksup.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a48f-3a70-4466-bd38-4fc8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:07.000Z", "modified": "2016-08-08T15:26:07.000Z", "first_observed": "2016-08-08T15:26:07Z", "last_observed": "2016-08-08T15:26:07Z", "number_observed": 1, "object_refs": [ "file--57a8a48f-3a70-4466-bd38-4fc8950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a48f-3a70-4466-bd38-4fc8950d210f", "name": "%System%\\rdiskloc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a490-9074-47bc-8296-4832950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:08.000Z", "modified": "2016-08-08T15:26:08.000Z", "first_observed": "2016-08-08T15:26:08Z", "last_observed": "2016-08-08T15:26:08Z", "number_observed": 1, "object_refs": [ "file--57a8a490-9074-47bc-8296-4832950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a490-9074-47bc-8296-4832950d210f", "name": "%System%\\pngmon.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a491-39dc-4243-98c3-499d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:09.000Z", "modified": "2016-08-08T15:26:09.000Z", "first_observed": "2016-08-08T15:26:09Z", "last_observed": "2016-08-08T15:26:09Z", "number_observed": 1, "object_refs": [ "file--57a8a491-39dc-4243-98c3-499d950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a491-39dc-4243-98c3-499d950d210f", "name": "%System%\\kavsec64.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a491-8fe8-41e2-85e5-4f47950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:09.000Z", "modified": "2016-08-08T15:26:09.000Z", "first_observed": "2016-08-08T15:26:09Z", "last_observed": "2016-08-08T15:26:09Z", "number_observed": 1, "object_refs": [ "file--57a8a491-8fe8-41e2-85e5-4f47950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a491-8fe8-41e2-85e5-4f47950d210f", "name": "%System%\\wlseccomm.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a492-eb60-4411-8dd2-40dd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:10.000Z", "modified": "2016-08-08T15:26:10.000Z", "first_observed": "2016-08-08T15:26:10Z", "last_observed": "2016-08-08T15:26:10Z", "number_observed": 1, "object_refs": [ "file--57a8a492-eb60-4411-8dd2-40dd950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a492-eb60-4411-8dd2-40dd950d210f", "name": "%System%\\rcnfsys.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a493-aaf0-4222-a1e8-4efa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:11.000Z", "modified": "2016-08-08T15:26:11.000Z", "first_observed": "2016-08-08T15:26:11Z", "last_observed": "2016-08-08T15:26:11Z", "number_observed": 1, "object_refs": [ "file--57a8a493-aaf0-4222-a1e8-4efa950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a493-aaf0-4222-a1e8-4efa950d210f", "name": "%System%\\wpackshim.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a493-1c64-46fc-87d0-4fb4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:11.000Z", "modified": "2016-08-08T15:26:11.000Z", "first_observed": "2016-08-08T15:26:11Z", "last_observed": "2016-08-08T15:26:11Z", "number_observed": 1, "object_refs": [ "file--57a8a493-1c64-46fc-87d0-4fb4950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a493-1c64-46fc-87d0-4fb4950d210f", "name": "%System%\\ncnfsys.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a494-fb04-49b7-adf8-48a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:12.000Z", "modified": "2016-08-08T15:26:12.000Z", "first_observed": "2016-08-08T15:26:12Z", "last_observed": "2016-08-08T15:26:12Z", "number_observed": 1, "object_refs": [ "file--57a8a494-fb04-49b7-adf8-48a4950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a494-fb04-49b7-adf8-48a4950d210f", "name": "%System%\\sxsapifeed.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a494-0c5c-40c3-bdc7-4e50950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:12.000Z", "modified": "2016-08-08T15:26:12.000Z", "first_observed": "2016-08-08T15:26:12Z", "last_observed": "2016-08-08T15:26:12Z", "number_observed": 1, "object_refs": [ "file--57a8a494-0c5c-40c3-bdc7-4e50950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a494-0c5c-40c3-bdc7-4e50950d210f", "name": "%System%\\wmupdsvc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a495-bdf4-42e1-96fe-4248950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:13.000Z", "modified": "2016-08-08T15:26:13.000Z", "first_observed": "2016-08-08T15:26:13Z", "last_observed": "2016-08-08T15:26:13Z", "number_observed": 1, "object_refs": [ "file--57a8a495-bdf4-42e1-96fe-4248950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a495-bdf4-42e1-96fe-4248950d210f", "name": "%System%\\compc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a495-4708-4515-a23f-4a82950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:13.000Z", "modified": "2016-08-08T15:26:13.000Z", "first_observed": "2016-08-08T15:26:13Z", "last_observed": "2016-08-08T15:26:13Z", "number_observed": 1, "object_refs": [ "file--57a8a495-4708-4515-a23f-4a82950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a495-4708-4515-a23f-4a82950d210f", "name": "%System%\\compman.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a496-8028-4a88-b531-4b5a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:14.000Z", "modified": "2016-08-08T15:26:14.000Z", "first_observed": "2016-08-08T15:26:14Z", "last_observed": "2016-08-08T15:26:14Z", "number_observed": 1, "object_refs": [ "file--57a8a496-8028-4a88-b531-4b5a950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a496-8028-4a88-b531-4b5a950d210f", "name": "%System%\\cnfsys.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a496-63ac-44ed-a6b0-4e17950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:14.000Z", "modified": "2016-08-08T15:26:14.000Z", "first_observed": "2016-08-08T15:26:14Z", "last_observed": "2016-08-08T15:26:14Z", "number_observed": 1, "object_refs": [ "file--57a8a496-63ac-44ed-a6b0-4e17950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a496-63ac-44ed-a6b0-4e17950d210f", "name": "%System%\\isecf.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a497-7818-4541-a7ee-4740950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:15.000Z", "modified": "2016-08-08T15:26:15.000Z", "first_observed": "2016-08-08T15:26:15Z", "last_observed": "2016-08-08T15:26:15Z", "number_observed": 1, "object_refs": [ "file--57a8a497-7818-4541-a7ee-4740950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a497-7818-4541-a7ee-4740950d210f", "name": "%System%\\klsec.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a498-6830-4664-b527-4876950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:16.000Z", "modified": "2016-08-08T15:26:16.000Z", "first_observed": "2016-08-08T15:26:16Z", "last_observed": "2016-08-08T15:26:16Z", "number_observed": 1, "object_refs": [ "file--57a8a498-6830-4664-b527-4876950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a498-6830-4664-b527-4876950d210f", "name": "%System%\\nagent.exe" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a498-5890-46b1-a70c-41c0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:16.000Z", "modified": "2016-08-08T15:26:16.000Z", "first_observed": "2016-08-08T15:26:16Z", "last_observed": "2016-08-08T15:26:16Z", "number_observed": 1, "object_refs": [ "file--57a8a498-5890-46b1-a70c-41c0950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a498-5890-46b1-a70c-41c0950d210f", "name": "%System%\\rpsf.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a499-cf24-45ac-8a5d-4a17950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:17.000Z", "modified": "2016-08-08T15:26:17.000Z", "first_observed": "2016-08-08T15:26:17Z", "last_observed": "2016-08-08T15:26:17Z", "number_observed": 1, "object_refs": [ "file--57a8a499-cf24-45ac-8a5d-4a17950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a499-cf24-45ac-8a5d-4a17950d210f", "name": "%System%\\tv_prntx64.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a499-b6b4-45b9-8c83-49e6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:17.000Z", "modified": "2016-08-08T15:26:17.000Z", "first_observed": "2016-08-08T15:26:17Z", "last_observed": "2016-08-08T15:26:17Z", "number_observed": 1, "object_refs": [ "file--57a8a499-b6b4-45b9-8c83-49e6950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a499-b6b4-45b9-8c83-49e6950d210f", "name": "%System%\\wdesksys.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a49a-384c-46ab-b757-4599950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:18.000Z", "modified": "2016-08-08T15:26:18.000Z", "first_observed": "2016-08-08T15:26:18Z", "last_observed": "2016-08-08T15:26:18Z", "number_observed": 1, "object_refs": [ "file--57a8a49a-384c-46ab-b757-4599950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a49a-384c-46ab-b757-4599950d210f", "name": "%System%\\dsecc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a49b-08e4-483b-afda-48af950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:19.000Z", "modified": "2016-08-08T15:26:19.000Z", "first_observed": "2016-08-08T15:26:19Z", "last_observed": "2016-08-08T15:26:19Z", "number_observed": 1, "object_refs": [ "file--57a8a49b-08e4-483b-afda-48af950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a49b-08e4-483b-afda-48af950d210f", "name": "%System%\\dcompf.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a49c-b134-4f62-b7db-47f4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:19.000Z", "modified": "2016-08-08T15:26:19.000Z", "first_observed": "2016-08-08T15:26:19Z", "last_observed": "2016-08-08T15:26:19Z", "number_observed": 1, "object_refs": [ "file--57a8a49c-b134-4f62-b7db-47f4950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a49c-b134-4f62-b7db-47f4950d210f", "name": "%System%\\dsecman.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a49c-2e48-4b36-9a62-4615950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:20.000Z", "modified": "2016-08-08T15:26:20.000Z", "first_observed": "2016-08-08T15:26:20Z", "last_observed": "2016-08-08T15:26:20Z", "number_observed": 1, "object_refs": [ "file--57a8a49c-2e48-4b36-9a62-4615950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a49c-2e48-4b36-9a62-4615950d210f", "name": "%System%\\isecc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a49d-7f90-4440-bd3c-48c0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:21.000Z", "modified": "2016-08-08T15:26:21.000Z", "first_observed": "2016-08-08T15:26:21Z", "last_observed": "2016-08-08T15:26:21Z", "number_observed": 1, "object_refs": [ "file--57a8a49d-7f90-4440-bd3c-48c0950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a49d-7f90-4440-bd3c-48c0950d210f", "name": "%System%\\rcompc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a49e-4354-4414-8de1-4e0b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:22.000Z", "modified": "2016-08-08T15:26:22.000Z", "first_observed": "2016-08-08T15:26:22Z", "last_observed": "2016-08-08T15:26:22Z", "number_observed": 1, "object_refs": [ "file--57a8a49e-4354-4414-8de1-4e0b950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a49e-4354-4414-8de1-4e0b950d210f", "name": "%System%\\rcnfloc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a49e-c33c-459c-b702-418b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:22.000Z", "modified": "2016-08-08T15:26:22.000Z", "first_observed": "2016-08-08T15:26:22Z", "last_observed": "2016-08-08T15:26:22Z", "number_observed": 1, "object_refs": [ "file--57a8a49e-c33c-459c-b702-418b950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a49e-c33c-459c-b702-418b950d210f", "name": "%System%\\rdisk.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a49f-7890-4060-ade1-4a85950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:23.000Z", "modified": "2016-08-08T15:26:23.000Z", "first_observed": "2016-08-08T15:26:23Z", "last_observed": "2016-08-08T15:26:23Z", "number_observed": 1, "object_refs": [ "file--57a8a49f-7890-4060-ade1-4a85950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a49f-7890-4060-ade1-4a85950d210f", "name": "%System%\\dcompman.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4a0-377c-4402-b4c4-4882950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:24.000Z", "modified": "2016-08-08T15:26:24.000Z", "first_observed": "2016-08-08T15:26:24Z", "last_observed": "2016-08-08T15:26:24Z", "number_observed": 1, "object_refs": [ "file--57a8a4a0-377c-4402-b4c4-4882950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4a0-377c-4402-b4c4-4882950d210f", "name": "%System%\\npsloc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4a0-d0f8-490b-9b4a-4d1e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:24.000Z", "modified": "2016-08-08T15:26:24.000Z", "first_observed": "2016-08-08T15:26:24Z", "last_observed": "2016-08-08T15:26:24Z", "number_observed": 1, "object_refs": [ "file--57a8a4a0-d0f8-490b-9b4a-4d1e950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4a0-d0f8-490b-9b4a-4d1e950d210f", "name": "%System%\\nsecc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c3-168c-46d3-adf8-4947950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:26:59.000Z", "modified": "2016-08-08T15:26:59.000Z", "first_observed": "2016-08-08T15:26:59Z", "last_observed": "2016-08-08T15:26:59Z", "number_observed": 1, "object_refs": [ "file--57a8a4c3-168c-46d3-adf8-4947950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c3-168c-46d3-adf8-4947950d210f", "name": "%System%\\wcprts32.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c4-9e00-4714-bc39-46cb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:00.000Z", "modified": "2016-08-08T15:27:00.000Z", "first_observed": "2016-08-08T15:27:00Z", "last_observed": "2016-08-08T15:27:00Z", "number_observed": 1, "object_refs": [ "file--57a8a4c4-9e00-4714-bc39-46cb950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c4-9e00-4714-bc39-46cb950d210f", "name": "%System%\\rpsloc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c4-f6c0-4892-926d-43c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:00.000Z", "modified": "2016-08-08T15:27:00.000Z", "first_observed": "2016-08-08T15:27:00Z", "last_observed": "2016-08-08T15:27:00Z", "number_observed": 1, "object_refs": [ "file--57a8a4c4-f6c0-4892-926d-43c3950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c4-f6c0-4892-926d-43c3950d210f", "name": "%System%\\rsecman.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c4-f1a4-49fb-bd2a-4c60950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:00.000Z", "modified": "2016-08-08T15:27:00.000Z", "first_observed": "2016-08-08T15:27:00Z", "last_observed": "2016-08-08T15:27:00Z", "number_observed": 1, "object_refs": [ "file--57a8a4c4-f1a4-49fb-bd2a-4c60950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c4-f1a4-49fb-bd2a-4c60950d210f", "name": "%System%\\mstimed.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c5-eefc-4946-ad46-4eda950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:01.000Z", "modified": "2016-08-08T15:27:01.000Z", "first_observed": "2016-08-08T15:27:01Z", "last_observed": "2016-08-08T15:27:01Z", "number_observed": 1, "object_refs": [ "file--57a8a4c5-eefc-4946-ad46-4eda950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c5-eefc-4946-ad46-4eda950d210f", "name": "%System%\\dcompsup.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c5-ebd8-46f4-86c3-440e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:01.000Z", "modified": "2016-08-08T15:27:01.000Z", "first_observed": "2016-08-08T15:27:01Z", "last_observed": "2016-08-08T15:27:01Z", "number_observed": 1, "object_refs": [ "file--57a8a4c5-ebd8-46f4-86c3-440e950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c5-ebd8-46f4-86c3-440e950d210f", "name": "%System%\\compsup.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c6-3534-48cb-af8b-479a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:02.000Z", "modified": "2016-08-08T15:27:02.000Z", "first_observed": "2016-08-08T15:27:02Z", "last_observed": "2016-08-08T15:27:02Z", "number_observed": 1, "object_refs": [ "file--57a8a4c6-3534-48cb-af8b-479a950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c6-3534-48cb-af8b-479a950d210f", "name": "%System%\\ncompman.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c6-f110-46a9-88bc-4755950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:02.000Z", "modified": "2016-08-08T15:27:02.000Z", "first_observed": "2016-08-08T15:27:02Z", "last_observed": "2016-08-08T15:27:02Z", "number_observed": 1, "object_refs": [ "file--57a8a4c6-f110-46a9-88bc-4755950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c6-f110-46a9-88bc-4755950d210f", "name": "%System%\\rsecloc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c7-ce98-4274-ac8c-4c15950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:03.000Z", "modified": "2016-08-08T15:27:03.000Z", "first_observed": "2016-08-08T15:27:03Z", "last_observed": "2016-08-08T15:27:03Z", "number_observed": 1, "object_refs": [ "file--57a8a4c7-ce98-4274-ac8c-4c15950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c7-ce98-4274-ac8c-4c15950d210f", "name": "%System%\\rdeskman.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c7-927c-4e93-b286-4672950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:03.000Z", "modified": "2016-08-08T15:27:03.000Z", "first_observed": "2016-08-08T15:27:03Z", "last_observed": "2016-08-08T15:27:03Z", "number_observed": 1, "object_refs": [ "file--57a8a4c7-927c-4e93-b286-4672950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c7-927c-4e93-b286-4672950d210f", "name": "%System%\\mfc64d.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c8-9bdc-4e78-81c4-4bed950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:04.000Z", "modified": "2016-08-08T15:27:04.000Z", "first_observed": "2016-08-08T15:27:04Z", "last_observed": "2016-08-08T15:27:04Z", "number_observed": 1, "object_refs": [ "file--57a8a4c8-9bdc-4e78-81c4-4bed950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c8-9bdc-4e78-81c4-4bed950d210f", "name": "%System%\\sceclid.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c8-4098-45f3-8f61-4e49950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:04.000Z", "modified": "2016-08-08T15:27:04.000Z", "first_observed": "2016-08-08T15:27:04Z", "last_observed": "2016-08-08T15:27:04Z", "number_observed": 1, "object_refs": [ "file--57a8a4c8-4098-45f3-8f61-4e49950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c8-4098-45f3-8f61-4e49950d210f", "name": "%System%\\ddesksys.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c8-0648-4cef-ba13-4e12950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:04.000Z", "modified": "2016-08-08T15:27:04.000Z", "first_observed": "2016-08-08T15:27:04Z", "last_observed": "2016-08-08T15:27:04Z", "number_observed": 1, "object_refs": [ "file--57a8a4c8-0648-4cef-ba13-4e12950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c8-0648-4cef-ba13-4e12950d210f", "name": "%System%\\isecman.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c9-126c-43da-b2d1-4eaa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:05.000Z", "modified": "2016-08-08T15:27:05.000Z", "first_observed": "2016-08-08T15:27:05Z", "last_observed": "2016-08-08T15:27:05Z", "number_observed": 1, "object_refs": [ "file--57a8a4c9-126c-43da-b2d1-4eaa950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c9-126c-43da-b2d1-4eaa950d210f", "name": "%System%\\scsvc32.exe" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4c9-c724-4296-a7e1-4f17950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:05.000Z", "modified": "2016-08-08T15:27:05.000Z", "first_observed": "2016-08-08T15:27:05Z", "last_observed": "2016-08-08T15:27:05Z", "number_observed": 1, "object_refs": [ "file--57a8a4c9-c724-4296-a7e1-4f17950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4c9-c724-4296-a7e1-4f17950d210f", "name": "%System%\\polcfg.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4ca-b860-4371-9279-4a1d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:06.000Z", "modified": "2016-08-08T15:27:06.000Z", "first_observed": "2016-08-08T15:27:06Z", "last_observed": "2016-08-08T15:27:06Z", "number_observed": 1, "object_refs": [ "file--57a8a4ca-b860-4371-9279-4a1d950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4ca-b860-4371-9279-4a1d950d210f", "name": "%System%\\cnfloc.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4cb-b800-4c34-a99e-43d0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:07.000Z", "modified": "2016-08-08T15:27:07.000Z", "first_observed": "2016-08-08T15:27:07Z", "last_observed": "2016-08-08T15:27:07Z", "number_observed": 1, "object_refs": [ "file--57a8a4cb-b800-4c34-a99e-43d0950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4cb-b800-4c34-a99e-43d0950d210f", "name": "%System%\\nseci.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a4cb-b6c0-43d5-92b4-4f45950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:07.000Z", "modified": "2016-08-08T15:27:07.000Z", "first_observed": "2016-08-08T15:27:07Z", "last_observed": "2016-08-08T15:27:07Z", "number_observed": 1, "object_refs": [ "file--57a8a4cb-b6c0-43d5-92b4-4f45950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57a8a4cb-b6c0-43d5-92b4-4f45950d210f", "name": "%System%\\eapproxycrypt.dll" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a4ee-9784-401d-8c39-4aa2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:42.000Z", "modified": "2016-08-08T15:27:42.000Z", "description": "Pipe backdoor / rpc helper", "pattern": "[file:hashes.MD5 = '46a676ab7f179e511e30dd2dc41bd388']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:27:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a4ee-0900-4a13-8e90-48b6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:42.000Z", "modified": "2016-08-08T15:27:42.000Z", "description": "Pipe backdoor / rpc helper", "pattern": "[file:hashes.MD5 = '9f81f59bc58452127884ce513865ed20']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:27:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a4ef-9730-4c58-9bc8-4060950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:27:43.000Z", "modified": "2016-08-08T15:27:43.000Z", "description": "Pipe backdoor / rpc helper", "pattern": "[file:hashes.MD5 = 'e710f28d59aa529d6792ca6ff0ca1b34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:27:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a50c-e9e0-45c4-ae0a-429d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:12.000Z", "modified": "2016-08-08T15:28:12.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = '1f7ddb6752461615ebf0d76bdcc6ab1a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a50c-8ad4-4ae5-a883-4f34950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:12.000Z", "modified": "2016-08-08T15:28:12.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = '227ea8f8281b75c5cd5f10370997d801']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a50c-c138-441b-a39d-4bda950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:12.000Z", "modified": "2016-08-08T15:28:12.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = '2f704cb6c080024624fc3267f9fdf30e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a50d-5f30-4aa9-9e0e-40a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:13.000Z", "modified": "2016-08-08T15:28:13.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = '501fe625d15b91899cc9f29fdfc19c40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a50d-e268-4121-8751-4105950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:13.000Z", "modified": "2016-08-08T15:28:13.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = '6296851190e685498955a5b37d277582']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a50d-579c-417b-8e7e-4261950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:13.000Z", "modified": "2016-08-08T15:28:13.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = '6b114168fb117bd870c28c5557f60efe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a50d-d800-4352-8026-4654950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:13.000Z", "modified": "2016-08-08T15:28:13.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = '7b6fdbd3839642d6ad7786182765d897']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a50d-7b5c-4c34-b329-4455950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:13.000Z", "modified": "2016-08-08T15:28:13.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = '7b8a3bf6fd266593db96eddaa3fae6f9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a52b-0aa0-4cb4-8d4f-46d0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:43.000Z", "modified": "2016-08-08T15:28:43.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = 'c0dfb68a5de80b3434b04b38a61dbb61']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a52b-4324-4abf-8b2e-40a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:43.000Z", "modified": "2016-08-08T15:28:43.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = 'bb6aec0cf17839a6bedfb9ddb05a0a6f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a52b-1d1c-4aa5-be23-4c05950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:43.000Z", "modified": "2016-08-08T15:28:43.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = 'c074710482023cd73da9f83438c3839f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a52b-a2d0-4c63-8ca6-4cf7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:43.000Z", "modified": "2016-08-08T15:28:43.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = 'c3f8f39009c583e2ea0abe2710316d2a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a52b-fb90-4710-8d3b-4176950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:43.000Z", "modified": "2016-08-08T15:28:43.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = 'cf6c049bd7cd9e04cc365b73f3f6098e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a52c-271c-479c-b476-47b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:44.000Z", "modified": "2016-08-08T15:28:44.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = '40f751f2b22208433a1a363550c73c6b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a52c-bf08-4f46-935f-427b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:28:44.000Z", "modified": "2016-08-08T15:28:44.000Z", "description": "Passive sniffer backdoor", "pattern": "[file:hashes.MD5 = '1d9d7d05ab7c68bdc257afb1c086fb88']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:28:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a566-a8a0-44eb-a50c-410b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:29:42.000Z", "modified": "2016-08-08T15:29:42.000Z", "description": "Generic pipe backdoors", "pattern": "[file:hashes.MD5 = '181c84e45abf1b03af0322f571848c2d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:29:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a566-05c0-4081-9d34-427d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:29:42.000Z", "modified": "2016-08-08T15:29:42.000Z", "description": "Generic pipe backdoors", "pattern": "[file:hashes.MD5 = '2e460fd574e4e4cce518f9bc8fc25547']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:29:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a566-5750-4112-ba32-4117950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:29:42.000Z", "modified": "2016-08-08T15:29:42.000Z", "description": "Generic pipe backdoors", "pattern": "[file:hashes.MD5 = '1f6ba85c62d30a69208fe9fb69d601fa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:29:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a582-2fb4-4601-886b-4ce3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:30:10.000Z", "modified": "2016-08-08T15:30:10.000Z", "description": "Null session pipes backdoor", "pattern": "[file:hashes.MD5 = 'f3b9c454b799e2fe6f09b6170c81ff5c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:30:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a582-4128-4dc1-852e-4afb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:30:10.000Z", "modified": "2016-08-08T15:30:10.000Z", "description": "Null session pipes backdoor", "pattern": "[file:hashes.MD5 = '0c12e834187203fbb87d0286de903dab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:30:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a583-9f28-4ac4-a229-45f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:30:11.000Z", "modified": "2016-08-08T15:30:11.000Z", "description": "Null session pipes backdoor", "pattern": "[file:hashes.MD5 = '72b03abb87f25e4d5a5c0e31877a3077']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:30:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a583-44b8-486f-84de-4ac6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:30:11.000Z", "modified": "2016-08-08T15:30:11.000Z", "description": "Null session pipes backdoor", "pattern": "[file:hashes.MD5 = '76db7e3af9be2dfaa491ec1142599075']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:30:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a583-0e2c-49a8-a42b-4b9e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:30:11.000Z", "modified": "2016-08-08T15:30:11.000Z", "description": "Null session pipes backdoor", "pattern": "[file:hashes.MD5 = '5d41719eb355fdf06277140da14af03e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:30:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a583-522c-4bea-a600-45f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:30:11.000Z", "modified": "2016-08-08T15:30:11.000Z", "description": "Null session pipes backdoor", "pattern": "[file:hashes.MD5 = 'a277f018c2bb7c0051e15a00e214bbf2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:30:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5b4-4964-4d96-b178-464f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:00.000Z", "modified": "2016-08-08T15:31:00.000Z", "description": "Pipe and internet backdoor", "pattern": "[file:hashes.MD5 = '0c4a971e028dc2ae91789e08b424a265']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5b4-7ef0-461d-ab19-498f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:00.000Z", "modified": "2016-08-08T15:31:00.000Z", "description": "Pipe and internet backdoor", "pattern": "[file:hashes.MD5 = '44c2fa487a1c01f7839b4898cc54495e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5b4-8428-4e43-9d16-4d02950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:00.000Z", "modified": "2016-08-08T15:31:00.000Z", "description": "Pipe and internet backdoor", "pattern": "[file:hashes.MD5 = 'f01dc49fce3a2ff22b18457b1bf098f8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5b4-84b8-4cc3-a65e-4a6b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:00.000Z", "modified": "2016-08-08T15:31:00.000Z", "description": "Pipe and internet backdoor", "pattern": "[file:hashes.MD5 = 'f59813ac7e30a1b0630621e865e3538c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5b5-dbd4-4cc0-88d3-47fa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:01.000Z", "modified": "2016-08-08T15:31:01.000Z", "description": "Pipe and internet backdoor", "pattern": "[file:hashes.MD5 = 'ca05d537b46d87ea700860573dd8a093']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5b5-7838-43bb-b368-4236950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:01.000Z", "modified": "2016-08-08T15:31:01.000Z", "description": "Pipe and internet backdoor", "pattern": "[file:hashes.MD5 = '01ac1cd4064b44cdfa24bf4eb40290e7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5b5-bc5c-42bb-9e99-48a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:01.000Z", "modified": "2016-08-08T15:31:01.000Z", "description": "Pipe and internet backdoor", "pattern": "[file:hashes.MD5 = '1511f3c455128042f1f6db0c3d13f1ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5b5-ff18-4804-89ba-4408950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:01.000Z", "modified": "2016-08-08T15:31:01.000Z", "description": "Pipe and internet backdoor", "pattern": "[file:hashes.MD5 = '57c48b6f6cf410002503a670f1337a4b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5b6-8b00-40f5-873c-4a93950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:02.000Z", "modified": "2016-08-08T15:31:02.000Z", "description": "Pipe and internet backdoor", "pattern": "[file:hashes.MD5 = 'edb9e045b8dc7bb0b549bdf28e55f3b5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e5-6e74-46f4-b589-4f78950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:49.000Z", "modified": "2016-08-08T15:31:49.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '71eb97ff9bf70ea8bb1157d54608f8bb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e5-9c80-4be0-b7ba-450e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:49.000Z", "modified": "2016-08-08T15:31:49.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '2f49544325e80437b709c3f10e01cb2d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e5-88b8-479f-af85-42d9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:49.000Z", "modified": "2016-08-08T15:31:49.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '7261230a43a40bb29227a169c2c8e1be']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e6-0f4c-49f7-8d3b-4d21950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:50.000Z", "modified": "2016-08-08T15:31:50.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = 'fc77b80755f7189dee1bd74760e62a72']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e6-cbcc-4dcb-b545-4eae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:50.000Z", "modified": "2016-08-08T15:31:50.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = 'a5588746a057f4b990e215b415d2d441']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e6-ce00-4765-810a-4c45950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:50.000Z", "modified": "2016-08-08T15:31:50.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '0209541dead744715e359b6c6cb069a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e6-b174-4bec-a027-4a07950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:50.000Z", "modified": "2016-08-08T15:31:50.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = 'fca102a0b39e2e3eddd0fe0a42807417']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e6-ab10-4907-a487-441d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:50.000Z", "modified": "2016-08-08T15:31:50.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '5373c62d99aff7135a26b2d38870d277']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e7-1e14-4154-b889-44e8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:51.000Z", "modified": "2016-08-08T15:31:51.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '91bb599cbba4fb1f72e30c09823e35f7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e7-1104-4dfe-94f6-43a1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:51.000Z", "modified": "2016-08-08T15:31:51.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '914c669dbaaa27041a0be44f88d9a6bd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e7-79d0-4cce-ae6b-460c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:51.000Z", "modified": "2016-08-08T15:31:51.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = 'c58a90accc1200a7f1e98f7f7aa1b1ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e7-d4f0-4273-9749-4887950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:51.000Z", "modified": "2016-08-08T15:31:51.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '63780a1690b922045625ead794696482']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e8-d468-4c9f-96e2-4c8e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:52.000Z", "modified": "2016-08-08T15:31:52.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '8d02e1eb86b7d1280446628f039c1964']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e8-460c-46d1-a8ec-4ec6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:52.000Z", "modified": "2016-08-08T15:31:52.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '6ca97b89af29d7eff94a3a60fa7efe0a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e8-ede0-44f3-981e-4d03950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:52.000Z", "modified": "2016-08-08T15:31:52.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '93c9c50ac339219ee442ec53d31c11a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e8-e760-4363-8716-4307950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:52.000Z", "modified": "2016-08-08T15:31:52.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = 'f7434b5c52426041cc87aa7045f04ec7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e8-0af4-4382-9fc9-4603950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:52.000Z", "modified": "2016-08-08T15:31:52.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = 'f936b1c068749fe37ed4a92c9b4cfab6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e9-fdc8-4454-acd1-41c8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:53.000Z", "modified": "2016-08-08T15:31:53.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '2054d07ae841fcff6158c7ccf5f14bf2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5e9-51bc-451d-b486-49b7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:53.000Z", "modified": "2016-08-08T15:31:53.000Z", "description": "Core platform (LUA VFS)", "pattern": "[file:hashes.MD5 = '6cd8311d11dc973e970237e10ed04ad7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:31:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a5f7-2804-4c51-903e-4165950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:07.000Z", "modified": "2016-08-08T15:32:07.000Z", "description": "MyTrampoline", "pattern": "[file:hashes.MD5 = '5ddd5294655e9eb3b9b2071dc2e503b1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a60c-ed58-4a51-8d2e-49f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:28.000Z", "modified": "2016-08-08T15:32:28.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = '2a8785bf45f4f03c10cd929bb0685c2d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a60d-5cc8-41c5-81b2-4187950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:29.000Z", "modified": "2016-08-08T15:32:29.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = 'f0e0cbf1498dbf9b8321d11d21c49811']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a60d-eb4c-402a-89e6-4bf4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:29.000Z", "modified": "2016-08-08T15:32:29.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = 'ac8072dfda27f9ea068dcad5712dd893']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a60d-a574-4cba-8963-4429950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:29.000Z", "modified": "2016-08-08T15:32:29.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = '2382a79f9764389acfb4cb4692aa044d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a60e-1074-4e8e-9638-4307950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:30.000Z", "modified": "2016-08-08T15:32:30.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = '85ea0d79ff015d0b1e09256a880a13ce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a60e-887c-4551-bb03-475f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:30.000Z", "modified": "2016-08-08T15:32:30.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = '4728a97e720c564f6e76d0e22c76bae5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a60f-a2e0-44e1-a9ea-467e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:31.000Z", "modified": "2016-08-08T15:32:31.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = 'b98227f8116133dc8060f2ada986631c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a60f-53cc-41cc-9cf4-4ab9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:31.000Z", "modified": "2016-08-08T15:32:31.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = 'd2065603ea3538d17b6ce276f64aa7a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a610-3670-4531-8cdf-4e4a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:32.000Z", "modified": "2016-08-08T15:32:32.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = 'fcd1a80575f503a5c4c05d4489d78ff9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a610-d524-4b34-9395-4ee5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:32.000Z", "modified": "2016-08-08T15:32:32.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = 'eb8d5f44924b4df2ce4a70305dc4bd59']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a611-fa80-4e92-85d5-459e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:33.000Z", "modified": "2016-08-08T15:32:33.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = '17deb723a16856e72dd5c1ba0dae0cc7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a611-cf14-43e6-8da1-408a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:33.000Z", "modified": "2016-08-08T15:32:33.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = 'b6fe14091359399c4ea572ebf645d2c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a612-00b8-4efa-bd7a-4ce2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:34.000Z", "modified": "2016-08-08T15:32:34.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = 'c8c30989a25c0b2918a5bb9fd6025a7a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a612-56f0-4871-8006-43c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:34.000Z", "modified": "2016-08-08T15:32:34.000Z", "description": "Bus manager", "pattern": "[file:hashes.MD5 = '814ca3a31122d821cd1e582abf958e8f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a62a-6054-489b-b047-41fe950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:32:58.000Z", "modified": "2016-08-08T15:32:58.000Z", "description": "Network Sniffer", "pattern": "[file:hashes.MD5 = '951ebe1ee17f61cd2398d8bc0e00b099']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:32:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a683-34ec-4347-b378-444c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:27.000Z", "modified": "2016-08-08T15:34:27.000Z", "description": "Bus manager - Xchecked via VT: b98227f8116133dc8060f2ada986631c", "pattern": "[file:hashes.SHA256 = '7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a683-f430-48c2-978c-47ca02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:27.000Z", "modified": "2016-08-08T15:34:27.000Z", "description": "Bus manager - Xchecked via VT: b98227f8116133dc8060f2ada986631c", "pattern": "[file:hashes.SHA1 = 'aa70eaa865f9444dbea03df371d220e1cd79156b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a684-2248-45f8-92cf-467802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:28.000Z", "modified": "2016-08-08T15:34:28.000Z", "first_observed": "2016-08-08T15:34:28Z", "last_observed": "2016-08-08T15:34:28Z", "number_observed": 1, "object_refs": [ "url--57a8a684-2248-45f8-92cf-467802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a684-2248-45f8-92cf-467802de0b81", "value": "https://www.virustotal.com/file/7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca/analysis/1469199571/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a684-c348-4d4a-9067-4a6602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:28.000Z", "modified": "2016-08-08T15:34:28.000Z", "description": "Bus manager - Xchecked via VT: 2a8785bf45f4f03c10cd929bb0685c2d", "pattern": "[file:hashes.SHA256 = '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a684-d100-42bd-9280-48ea02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:28.000Z", "modified": "2016-08-08T15:34:28.000Z", "description": "Bus manager - Xchecked via VT: 2a8785bf45f4f03c10cd929bb0685c2d", "pattern": "[file:hashes.SHA1 = 'd18792a187d7567f3f31908c05a8b8a2647d365f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a685-4d20-45fe-ae77-469202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:29.000Z", "modified": "2016-08-08T15:34:29.000Z", "first_observed": "2016-08-08T15:34:29Z", "last_observed": "2016-08-08T15:34:29Z", "number_observed": 1, "object_refs": [ "url--57a8a685-4d20-45fe-ae77-469202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a685-4d20-45fe-ae77-469202de0b81", "value": "https://www.virustotal.com/file/6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd/analysis/1470296379/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a685-acec-426a-9347-4fae02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:29.000Z", "modified": "2016-08-08T15:34:29.000Z", "description": "Core platform (LUA VFS) - Xchecked via VT: 6cd8311d11dc973e970237e10ed04ad7", "pattern": "[file:hashes.SHA256 = 'a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a685-62ac-425b-a6b6-48a402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:29.000Z", "modified": "2016-08-08T15:34:29.000Z", "description": "Core platform (LUA VFS) - Xchecked via VT: 6cd8311d11dc973e970237e10ed04ad7", "pattern": "[file:hashes.SHA1 = 'e13cacb3f1eab730d0def265e7167a4f2ecce9c1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a686-ff9c-49cd-ba0f-4c0202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:30.000Z", "modified": "2016-08-08T15:34:30.000Z", "first_observed": "2016-08-08T15:34:30Z", "last_observed": "2016-08-08T15:34:30Z", "number_observed": 1, "object_refs": [ "url--57a8a686-ff9c-49cd-ba0f-4c0202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a686-ff9c-49cd-ba0f-4c0202de0b81", "value": "https://www.virustotal.com/file/a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec/analysis/1470448090/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a686-2d80-4f84-a87d-437802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:30.000Z", "modified": "2016-08-08T15:34:30.000Z", "description": "Core platform (LUA VFS) - Xchecked via VT: 7261230a43a40bb29227a169c2c8e1be", "pattern": "[file:hashes.SHA256 = 'd737644d612e5051f66fb97a34ec592b3508be06e33f743a2fdb31cdf6bd2718']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a686-1b0c-4c9a-b4d2-47ab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:30.000Z", "modified": "2016-08-08T15:34:30.000Z", "description": "Core platform (LUA VFS) - Xchecked via VT: 7261230a43a40bb29227a169c2c8e1be", "pattern": "[file:hashes.SHA1 = '1bb7614bb7c3042796c8dc7befdd8042197f222d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a687-c41c-4e9a-be4d-40da02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:31.000Z", "modified": "2016-08-08T15:34:31.000Z", "first_observed": "2016-08-08T15:34:31Z", "last_observed": "2016-08-08T15:34:31Z", "number_observed": 1, "object_refs": [ "url--57a8a687-c41c-4e9a-be4d-40da02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a687-c41c-4e9a-be4d-40da02de0b81", "value": "https://www.virustotal.com/file/d737644d612e5051f66fb97a34ec592b3508be06e33f743a2fdb31cdf6bd2718/analysis/1470649331/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a687-afb0-4346-9e09-453802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:31.000Z", "modified": "2016-08-08T15:34:31.000Z", "description": "Pipe and internet backdoor - Xchecked via VT: edb9e045b8dc7bb0b549bdf28e55f3b5", "pattern": "[file:hashes.SHA256 = '96c3404dadee72b1f27f6d4fbd567aac84d1fdf64a5168c7ef2464b6c4b86289']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a687-1704-4209-afa1-441302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:31.000Z", "modified": "2016-08-08T15:34:31.000Z", "description": "Pipe and internet backdoor - Xchecked via VT: edb9e045b8dc7bb0b549bdf28e55f3b5", "pattern": "[file:hashes.SHA1 = 'ad1a9b908602a474ce2039e95b1598f75583eb4d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a687-eb9c-46c4-ab81-494902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:31.000Z", "modified": "2016-08-08T15:34:31.000Z", "first_observed": "2016-08-08T15:34:31Z", "last_observed": "2016-08-08T15:34:31Z", "number_observed": 1, "object_refs": [ "url--57a8a687-eb9c-46c4-ab81-494902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a687-eb9c-46c4-ab81-494902de0b81", "value": "https://www.virustotal.com/file/96c3404dadee72b1f27f6d4fbd567aac84d1fdf64a5168c7ef2464b6c4b86289/analysis/1470649334/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a687-e038-4a22-89d3-41b202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:31.000Z", "modified": "2016-08-08T15:34:31.000Z", "description": "Pipe and internet backdoor - Xchecked via VT: 01ac1cd4064b44cdfa24bf4eb40290e7", "pattern": "[file:hashes.SHA256 = '8e63e579dded54f81ec50ef085929069d30a940ea4afd4f3bf77452f0546a3d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a688-6df0-4a01-a58f-45d402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:32.000Z", "modified": "2016-08-08T15:34:32.000Z", "description": "Pipe and internet backdoor - Xchecked via VT: 01ac1cd4064b44cdfa24bf4eb40290e7", "pattern": "[file:hashes.SHA1 = 'cc78cea09009e7dfe2f155f24e7968dd69d044a5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a688-e6c8-44aa-b015-489502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:32.000Z", "modified": "2016-08-08T15:34:32.000Z", "first_observed": "2016-08-08T15:34:32Z", "last_observed": "2016-08-08T15:34:32Z", "number_observed": 1, "object_refs": [ "url--57a8a688-e6c8-44aa-b015-489502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a688-e6c8-44aa-b015-489502de0b81", "value": "https://www.virustotal.com/file/8e63e579dded54f81ec50ef085929069d30a940ea4afd4f3bf77452f0546a3d3/analysis/1470649332/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a688-e528-41ab-8076-4ca602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:32.000Z", "modified": "2016-08-08T15:34:32.000Z", "description": "Passive sniffer backdoor - Xchecked via VT: 1d9d7d05ab7c68bdc257afb1c086fb88", "pattern": "[file:hashes.SHA256 = 'c8f95bf8a76ff124cc1d7a8439beff360d0eb9c0972d42a8684c3bd4e91c6600']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a688-e504-423f-b5ce-4cc902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:32.000Z", "modified": "2016-08-08T15:34:32.000Z", "description": "Passive sniffer backdoor - Xchecked via VT: 1d9d7d05ab7c68bdc257afb1c086fb88", "pattern": "[file:hashes.SHA1 = '63b579b9671b45478b42a5f96110c9d4234f7c82']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a688-b510-4581-a81f-459402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:32.000Z", "modified": "2016-08-08T15:34:32.000Z", "first_observed": "2016-08-08T15:34:32Z", "last_observed": "2016-08-08T15:34:32Z", "number_observed": 1, "object_refs": [ "url--57a8a688-b510-4581-a81f-459402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a688-b510-4581-a81f-459402de0b81", "value": "https://www.virustotal.com/file/c8f95bf8a76ff124cc1d7a8439beff360d0eb9c0972d42a8684c3bd4e91c6600/analysis/1470653946/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a689-63e8-495c-832a-423702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:33.000Z", "modified": "2016-08-08T15:34:33.000Z", "description": "Passive sniffer backdoor - Xchecked via VT: cf6c049bd7cd9e04cc365b73f3f6098e", "pattern": "[file:hashes.SHA256 = '6b06522f803437d51c15832dbd6b91d8d8b244440b4d2f09bd952f335351b06d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a689-dde4-4102-9968-455d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:33.000Z", "modified": "2016-08-08T15:34:33.000Z", "description": "Passive sniffer backdoor - Xchecked via VT: cf6c049bd7cd9e04cc365b73f3f6098e", "pattern": "[file:hashes.SHA1 = '90bead07f7c6c92c6ca2b34406c5ea516307ee4e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a689-beb4-4d52-a184-4d9b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:33.000Z", "modified": "2016-08-08T15:34:33.000Z", "first_observed": "2016-08-08T15:34:33Z", "last_observed": "2016-08-08T15:34:33Z", "number_observed": 1, "object_refs": [ "url--57a8a689-beb4-4d52-a184-4d9b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a689-beb4-4d52-a184-4d9b02de0b81", "value": "https://www.virustotal.com/file/6b06522f803437d51c15832dbd6b91d8d8b244440b4d2f09bd952f335351b06d/analysis/1470649331/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a689-1c2c-4faf-bb9e-424202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:33.000Z", "modified": "2016-08-08T15:34:33.000Z", "description": "Passive sniffer backdoor - Xchecked via VT: 7b8a3bf6fd266593db96eddaa3fae6f9", "pattern": "[file:hashes.SHA256 = '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a689-0504-4019-b091-453002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:33.000Z", "modified": "2016-08-08T15:34:33.000Z", "description": "Passive sniffer backdoor - Xchecked via VT: 7b8a3bf6fd266593db96eddaa3fae6f9", "pattern": "[file:hashes.SHA1 = 'd18df80316160535aa798303b6f02b6ae8e04388']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a68a-2e50-4611-bfed-466002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:34.000Z", "modified": "2016-08-08T15:34:34.000Z", "first_observed": "2016-08-08T15:34:34Z", "last_observed": "2016-08-08T15:34:34Z", "number_observed": 1, "object_refs": [ "url--57a8a68a-2e50-4611-bfed-466002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a68a-2e50-4611-bfed-466002de0b81", "value": "https://www.virustotal.com/file/3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8/analysis/1470653929/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a68a-f2d4-453e-907e-479c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:34.000Z", "modified": "2016-08-08T15:34:34.000Z", "description": "Pipe backdoor / rpc helper - Xchecked via VT: 9f81f59bc58452127884ce513865ed20", "pattern": "[file:hashes.SHA256 = '720195b07c81e95dab4a1469342bc723938733b3846d7647264f6d0816269380']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a8a68a-dfc0-417f-a182-405d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:34.000Z", "modified": "2016-08-08T15:34:34.000Z", "description": "Pipe backdoor / rpc helper - Xchecked via VT: 9f81f59bc58452127884ce513865ed20", "pattern": "[file:hashes.SHA1 = '56ba0ff2554c6f2415654d0e4f7438ea8e0fa7f9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:34:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a68a-42e4-4460-9b0c-469e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:34:34.000Z", "modified": "2016-08-08T15:34:34.000Z", "first_observed": "2016-08-08T15:34:34Z", "last_observed": "2016-08-08T15:34:34Z", "number_observed": 1, "object_refs": [ "url--57a8a68a-42e4-4460-9b0c-469e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a68a-42e4-4460-9b0c-469e02de0b81", "value": "https://www.virustotal.com/file/720195b07c81e95dab4a1469342bc723938733b3846d7647264f6d0816269380/analysis/1470649327/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a5e3-9984-4f4e-97f8-4920950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:47.000Z", "modified": "2016-08-08T15:31:47.000Z", "first_observed": "2016-08-08T15:31:47Z", "last_observed": "2016-08-08T15:31:47Z", "number_observed": 1, "object_refs": [ "url--57a8a5e3-9984-4f4e-97f8-4920950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a5e3-9984-4f4e-97f8-4920950d210f", "value": "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a5e4-a59c-4970-bdb3-46d0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:48.000Z", "modified": "2016-08-08T15:31:48.000Z", "first_observed": "2016-08-08T15:31:48Z", "last_observed": "2016-08-08T15:31:48Z", "number_observed": 1, "object_refs": [ "url--57a8a5e4-a59c-4970-bdb3-46d0950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a5e4-a59c-4970-bdb3-46d0950d210f", "value": "https://kas.pr/c9SH" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a5e4-62f4-4031-9887-4710950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:48.000Z", "modified": "2016-08-08T15:31:48.000Z", "first_observed": "2016-08-08T15:31:48Z", "last_observed": "2016-08-08T15:31:48Z", "number_observed": 1, "object_refs": [ "url--57a8a5e4-62f4-4031-9887-4710950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a5e4-62f4-4031-9887-4710950d210f", "value": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_IOCs_KL.pdf" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a5e4-1260-4e62-b71a-41ea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:48.000Z", "modified": "2016-08-08T15:31:48.000Z", "first_observed": "2016-08-08T15:31:48Z", "last_observed": "2016-08-08T15:31:48Z", "number_observed": 1, "object_refs": [ "url--57a8a5e4-1260-4e62-b71a-41ea950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a5e4-1260-4e62-b71a-41ea950d210f", "value": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a8a5e4-51f8-4491-82ae-4edb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-08T15:31:48.000Z", "modified": "2016-08-08T15:31:48.000Z", "first_observed": "2016-08-08T15:31:48Z", "last_observed": "2016-08-08T15:31:48Z", "number_observed": 1, "object_refs": [ "url--57a8a5e4-51f8-4491-82ae-4edb950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a8a5e4-51f8-4491-82ae-4edb950d210f", "value": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }