{ "Event": { "analysis": "2", "date": "2016-08-08", "extends_uuid": "", "info": "OSINT - ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms", "publish_timestamp": "1493409708", "published": true, "threat_level_id": "1", "timestamp": "1493403729", "uuid": "57a8a2e8-6054-46ef-bab9-418e950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470669595", "to_ids": false, "type": "comment", "uuid": "57a8a31b-1ab4-445e-8ffc-42ed950d210f", "value": "Over the last few years, the number of \u00e2\u20ac\u0153APT-related\u00e2\u20ac\u009d incidents described in the media has grown significantly. For many of these, though, the designation \u00e2\u20ac\u0153APT\u00e2\u20ac\u009d, indicating an \u00e2\u20ac\u0153Advanced Persistent Threat\u00e2\u20ac\u009d, is usually an exaggeration. With some notable exceptions, few of the threat actors usually described in the media are advanced. These exceptions, which in our opinion represent the pinnacle of cyberespionage tools: the truly \u00e2\u20ac\u0153advanced\u00e2\u20ac\u009d threat actors out there, are Equation, Regin, Duqu or Careto. Another such an exceptional espionage platform is \u00e2\u20ac\u0153ProjectSauron\u00e2\u20ac\u009d, also known as \u00e2\u20ac\u0153Strider\u00e2\u20ac\u009d.\r\n\r\nWhat differentiates a truly advanced threat actor from a wannabe APT? Here are a few features that characterize the \u00e2\u20ac\u02dctop\u00e2\u20ac\u2122 cyberespionage groups:\r\n\r\n The use of zero day exploits\r\n Unknown, never identified infection vectors\r\n Have compromised multiple government organizations in several countries\r\n Have successfully stolen information for many years before being discovered\r\n Have the ability to steal information from air gapped networks\r\n Support multiple covert exfiltration channels on various protocols\r\n Malware modules which can exist only in memory without touching the disk\r\n Unusual persistence techniques which sometime use undocumented OS features\r\n\r\n\u00e2\u20ac\u0153ProjectSauron\u00e2\u20ac\u009d easily covers many of these points." }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1470669692", "to_ids": true, "type": "ip-dst", "uuid": "57a8a37c-d830-44db-8b0d-440f950d210f", "value": "185.78.64.121" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1470669692", "to_ids": true, "type": "domain", "uuid": "57a8a37c-43f0-47ef-af72-45e4950d210f", "value": "rapidcomments.com" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1470669692", "to_ids": true, "type": "ip-dst", "uuid": "57a8a37c-5cc8-44ea-bdab-4fbe950d210f", "value": "81.4.108.168" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1470669692", "to_ids": true, "type": "domain", "uuid": "57a8a37c-a654-4f67-ac1a-4b92950d210f", "value": "bikessport.com" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1470669692", "to_ids": true, "type": "ip-dst", "uuid": "57a8a37c-ef9c-4184-a106-4d7c950d210f", "value": "178.211.40.117" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1470669693", "to_ids": true, "type": "ip-dst", "uuid": "57a8a37d-3eec-42d3-9d19-487a950d210f", "value": "176.9.242.188" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1470669693", "to_ids": true, "type": "hostname", "uuid": "57a8a37d-3b68-48c3-8ced-439d950d210f", "value": "www.myhomemusic.com" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1470669693", "to_ids": true, "type": "hostname", "uuid": "57a8a37d-b9c4-441f-b570-413a950d210f", "value": "flowershop22.110mb.com" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1470669693", "to_ids": true, "type": "hostname", "uuid": "57a8a37d-75a8-49d3-b70d-4e78950d210f", "value": "wildhorses.awardspace.info" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1470669693", "to_ids": true, "type": "ip-dst", "uuid": "57a8a37d-d8d0-42d1-8d8c-4d5d950d210f", "value": "217.160.176.157" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1470669694", "to_ids": true, "type": "ip-dst", "uuid": "57a8a37e-8a58-4d43-a601-4fd8950d210f", "value": "5.196.206.166" }, { "category": "Network activity", "comment": "Mask/regexp", "deleted": false, "disable_correlation": false, "timestamp": "1470669790", "to_ids": true, "type": "text", "uuid": "57a8a3d4-80cc-4315-8f13-420f950d210f", "value": "sx4-ws42*.yi[.]org \r\nuz%d.weedns[.]com\r\nwe%d.q.tcow[.]eu" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470669820", "to_ids": true, "type": "pattern-in-memory", "uuid": "57a8a3fc-93c4-4177-886f-4144950d210f", "value": "EFEB0A9C6ABA4CF5958F41DB6A31929776C643DEDC65CC9B67AB8B0066FF2492" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669905", "to_ids": false, "type": "filename", "uuid": "57a8a451-289c-4a68-8104-4713950d210f", "value": "%System%\\rpchlpr.exe" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669906", "to_ids": false, "type": "filename", "uuid": "57a8a452-fb14-454e-8ade-4a7f950d210f", "value": "%System%\\symnet32.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669906", "to_ids": false, "type": "filename", "uuid": "57a8a452-7e70-44ee-b281-49f7950d210f", "value": "%System%\\rdiskman.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669906", "to_ids": false, "type": "filename", "uuid": "57a8a452-5ecc-482c-b94d-4076950d210f", "value": "%System%\\rseceng.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669907", "to_ids": false, "type": "filename", "uuid": "57a8a453-493c-41b5-93ad-4ce8950d210f", "value": "%System%\\msprtssp.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669907", "to_ids": false, "type": "filename", "uuid": "57a8a453-65a4-4378-9100-4003950d210f", "value": "%System%\\ncompc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669908", "to_ids": false, "type": "filename", "uuid": "57a8a454-0748-4119-a55c-4b1e950d210f", "value": "%System%\\rdeskm.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669908", "to_ids": false, "type": "filename", "uuid": "57a8a454-2c08-4de7-b772-4c03950d210f", "value": "%System%\\dpsf.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669909", "to_ids": false, "type": "filename", "uuid": "57a8a455-0a60-41d8-9b5b-4c18950d210f", "value": "%System%\\nsecf.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669909", "to_ids": false, "type": "filename", "uuid": "57a8a455-daa8-48e4-acd4-4f33950d210f", "value": "%System%\\rdesk.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669910", "to_ids": false, "type": "filename", "uuid": "57a8a456-dce0-47ac-afb1-4df3950d210f", "value": "%System%\\dpsloc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669911", "to_ids": false, "type": "filename", "uuid": "57a8a457-dea4-4230-bbca-429e950d210f", "value": "%System%\\ddeskm.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669912", "to_ids": false, "type": "filename", "uuid": "57a8a458-5b48-4a30-80b2-4844950d210f", "value": "%System%\\rdisksup.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669913", "to_ids": false, "type": "filename", "uuid": "57a8a459-8638-4b90-a139-4cfd950d210f", "value": "%System%\\rcompf.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669914", "to_ids": false, "type": "filename", "uuid": "57a8a45a-3ab8-4fdd-8857-4e53950d210f", "value": "%System%\\ncompsup.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669914", "to_ids": false, "type": "filename", "uuid": "57a8a45a-1640-4725-971d-48aa950d210f", "value": "%System%\\rdiskf.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669914", "to_ids": false, "type": "filename", "uuid": "57a8a45a-b300-44e0-9e42-4d90950d210f", "value": "%System%\\iseceng.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669915", "to_ids": false, "type": "filename", "uuid": "57a8a45b-9d50-4d22-895c-46c3950d210f", "value": "%System%\\msasspc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669916", "to_ids": false, "type": "filename", "uuid": "57a8a45c-7734-4db5-a521-40f7950d210f", "value": "%System%\\wpsloc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669917", "to_ids": false, "type": "filename", "uuid": "57a8a45d-97b8-4c36-8556-4fa1950d210f", "value": "%System%\\wpackpwf.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669917", "to_ids": false, "type": "filename", "uuid": "57a8a45d-293c-4c08-a322-446b950d210f", "value": "%System%\\rcnfm.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669956", "to_ids": false, "type": "filename", "uuid": "57a8a484-d0dc-49a1-bf21-49e5950d210f", "value": "%Temp%\\kavupdate.exe" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669957", "to_ids": false, "type": "filename", "uuid": "57a8a485-8cac-45ba-bf23-4848950d210f", "value": "%Temp%\\kavupd.exe" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669957", "to_ids": false, "type": "filename", "uuid": "57a8a485-9c5c-4f61-bb88-4f03950d210f", "value": "%Temp%\\klnupd.exe" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669958", "to_ids": false, "type": "filename", "uuid": "57a8a486-64d8-4b38-b3c5-4be2950d210f", "value": "%System%\\hptcpprnt.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669958", "to_ids": false, "type": "filename", "uuid": "57a8a486-4e48-4a24-b359-45ba950d210f", "value": "%System%\\rdeskf.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669959", "to_ids": false, "type": "filename", "uuid": "57a8a487-5f98-4495-90e0-4899950d210f", "value": "%System%\\ncnfloc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669960", "to_ids": false, "type": "filename", "uuid": "57a8a488-cfe8-44df-a10c-4dc2950d210f", "value": "%System%\\msaosspc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669960", "to_ids": false, "type": "filename", "uuid": "57a8a488-49b4-465c-9d07-457e950d210f", "value": "%System%\\ndiskloc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669960", "to_ids": false, "type": "filename", "uuid": "57a8a488-40fc-482f-92c4-40a6950d210f", "value": "%System%\\mperfcl.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669961", "to_ids": false, "type": "filename", "uuid": "57a8a489-4918-4a19-a1b4-4e73950d210f", "value": "%System%\\polsec.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669962", "to_ids": false, "type": "filename", "uuid": "57a8a48a-ac34-4aeb-8d74-410c950d210f", "value": "%System%\\sxsmgrkbd.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669962", "to_ids": false, "type": "filename", "uuid": "57a8a48a-085c-4c5d-97ad-4c28950d210f", "value": "%System%\\cfgbaseprt.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669963", "to_ids": false, "type": "filename", "uuid": "57a8a48b-0e94-48d8-a006-4316950d210f", "value": "%System%\\seccertapi.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669964", "to_ids": false, "type": "filename", "uuid": "57a8a48c-8b98-40cb-993d-4537950d210f", "value": "%System%\\krbsec.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669964", "to_ids": false, "type": "filename", "uuid": "57a8a48c-8ba8-4ef5-aebf-45e4950d210f", "value": "%System%\\prnpapi.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669965", "to_ids": false, "type": "filename", "uuid": "57a8a48d-5014-48e4-aaa8-4235950d210f", "value": "%System%\\ndisk.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669966", "to_ids": false, "type": "filename", "uuid": "57a8a48e-1c34-441d-b223-4f9d950d210f", "value": "%System%\\ndisksup.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669967", "to_ids": false, "type": "filename", "uuid": "57a8a48f-3a70-4466-bd38-4fc8950d210f", "value": "%System%\\rdiskloc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669968", "to_ids": false, "type": "filename", "uuid": "57a8a490-9074-47bc-8296-4832950d210f", "value": "%System%\\pngmon.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669969", "to_ids": false, "type": "filename", "uuid": "57a8a491-39dc-4243-98c3-499d950d210f", "value": "%System%\\kavsec64.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669969", "to_ids": false, "type": "filename", "uuid": "57a8a491-8fe8-41e2-85e5-4f47950d210f", "value": "%System%\\wlseccomm.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669970", "to_ids": false, "type": "filename", "uuid": "57a8a492-eb60-4411-8dd2-40dd950d210f", "value": "%System%\\rcnfsys.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669971", "to_ids": false, "type": "filename", "uuid": "57a8a493-aaf0-4222-a1e8-4efa950d210f", "value": "%System%\\wpackshim.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669971", "to_ids": false, "type": "filename", "uuid": "57a8a493-1c64-46fc-87d0-4fb4950d210f", "value": "%System%\\ncnfsys.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669972", "to_ids": false, "type": "filename", "uuid": "57a8a494-fb04-49b7-adf8-48a4950d210f", "value": "%System%\\sxsapifeed.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669972", "to_ids": false, "type": "filename", "uuid": "57a8a494-0c5c-40c3-bdc7-4e50950d210f", "value": "%System%\\wmupdsvc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669973", "to_ids": false, "type": "filename", "uuid": "57a8a495-bdf4-42e1-96fe-4248950d210f", "value": "%System%\\compc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669973", "to_ids": false, "type": "filename", "uuid": "57a8a495-4708-4515-a23f-4a82950d210f", "value": "%System%\\compman.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669974", "to_ids": false, "type": "filename", "uuid": "57a8a496-8028-4a88-b531-4b5a950d210f", "value": "%System%\\cnfsys.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669974", "to_ids": false, "type": "filename", "uuid": "57a8a496-63ac-44ed-a6b0-4e17950d210f", "value": "%System%\\isecf.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669975", "to_ids": false, "type": "filename", "uuid": "57a8a497-7818-4541-a7ee-4740950d210f", "value": "%System%\\klsec.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669976", "to_ids": false, "type": "filename", "uuid": "57a8a498-6830-4664-b527-4876950d210f", "value": "%System%\\nagent.exe" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669976", "to_ids": false, "type": "filename", "uuid": "57a8a498-5890-46b1-a70c-41c0950d210f", "value": "%System%\\rpsf.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669977", "to_ids": false, "type": "filename", "uuid": "57a8a499-cf24-45ac-8a5d-4a17950d210f", "value": "%System%\\tv_prntx64.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669977", "to_ids": false, "type": "filename", "uuid": "57a8a499-b6b4-45b9-8c83-49e6950d210f", "value": "%System%\\wdesksys.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669978", "to_ids": false, "type": "filename", "uuid": "57a8a49a-384c-46ab-b757-4599950d210f", "value": "%System%\\dsecc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669979", "to_ids": false, "type": "filename", "uuid": "57a8a49b-08e4-483b-afda-48af950d210f", "value": "%System%\\dcompf.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669979", "to_ids": false, "type": "filename", "uuid": "57a8a49c-b134-4f62-b7db-47f4950d210f", "value": "%System%\\dsecman.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669980", "to_ids": false, "type": "filename", "uuid": "57a8a49c-2e48-4b36-9a62-4615950d210f", "value": "%System%\\isecc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669981", "to_ids": false, "type": "filename", "uuid": "57a8a49d-7f90-4440-bd3c-48c0950d210f", "value": "%System%\\rcompc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669982", "to_ids": false, "type": "filename", "uuid": "57a8a49e-4354-4414-8de1-4e0b950d210f", "value": "%System%\\rcnfloc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669982", "to_ids": false, "type": "filename", "uuid": "57a8a49e-c33c-459c-b702-418b950d210f", "value": "%System%\\rdisk.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669983", "to_ids": false, "type": "filename", "uuid": "57a8a49f-7890-4060-ade1-4a85950d210f", "value": "%System%\\dcompman.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669984", "to_ids": false, "type": "filename", "uuid": "57a8a4a0-377c-4402-b4c4-4882950d210f", "value": "%System%\\npsloc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470669984", "to_ids": false, "type": "filename", "uuid": "57a8a4a0-d0f8-490b-9b4a-4d1e950d210f", "value": "%System%\\nsecc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670019", "to_ids": false, "type": "filename", "uuid": "57a8a4c3-168c-46d3-adf8-4947950d210f", "value": "%System%\\wcprts32.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670020", "to_ids": false, "type": "filename", "uuid": "57a8a4c4-9e00-4714-bc39-46cb950d210f", "value": "%System%\\rpsloc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670020", "to_ids": false, "type": "filename", "uuid": "57a8a4c4-f6c0-4892-926d-43c3950d210f", "value": "%System%\\rsecman.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670020", "to_ids": false, "type": "filename", "uuid": "57a8a4c4-f1a4-49fb-bd2a-4c60950d210f", "value": "%System%\\mstimed.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670021", "to_ids": false, "type": "filename", "uuid": "57a8a4c5-eefc-4946-ad46-4eda950d210f", "value": "%System%\\dcompsup.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670021", "to_ids": false, "type": "filename", "uuid": "57a8a4c5-ebd8-46f4-86c3-440e950d210f", "value": "%System%\\compsup.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670022", "to_ids": false, "type": "filename", "uuid": "57a8a4c6-3534-48cb-af8b-479a950d210f", "value": "%System%\\ncompman.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670022", "to_ids": false, "type": "filename", "uuid": "57a8a4c6-f110-46a9-88bc-4755950d210f", "value": "%System%\\rsecloc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670023", "to_ids": false, "type": "filename", "uuid": "57a8a4c7-ce98-4274-ac8c-4c15950d210f", "value": "%System%\\rdeskman.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670023", "to_ids": false, "type": "filename", "uuid": "57a8a4c7-927c-4e93-b286-4672950d210f", "value": "%System%\\mfc64d.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670024", "to_ids": false, "type": "filename", "uuid": "57a8a4c8-9bdc-4e78-81c4-4bed950d210f", "value": "%System%\\sceclid.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670024", "to_ids": false, "type": "filename", "uuid": "57a8a4c8-4098-45f3-8f61-4e49950d210f", "value": "%System%\\ddesksys.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670024", "to_ids": false, "type": "filename", "uuid": "57a8a4c8-0648-4cef-ba13-4e12950d210f", "value": "%System%\\isecman.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670025", "to_ids": false, "type": "filename", "uuid": "57a8a4c9-126c-43da-b2d1-4eaa950d210f", "value": "%System%\\scsvc32.exe" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670025", "to_ids": false, "type": "filename", "uuid": "57a8a4c9-c724-4296-a7e1-4f17950d210f", "value": "%System%\\polcfg.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670026", "to_ids": false, "type": "filename", "uuid": "57a8a4ca-b860-4371-9279-4a1d950d210f", "value": "%System%\\cnfloc.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670027", "to_ids": false, "type": "filename", "uuid": "57a8a4cb-b800-4c34-a99e-43d0950d210f", "value": "%System%\\nseci.dll" }, { "category": "Artifacts dropped", "comment": "Most of the ProjectSauron DLL filenames seem to have been generated automatically by multiplication of several prefixes, roots and suffixes in a random order.", "deleted": false, "disable_correlation": false, "timestamp": "1470670027", "to_ids": false, "type": "filename", "uuid": "57a8a4cb-b6c0-43d5-92b4-4f45950d210f", "value": "%System%\\eapproxycrypt.dll" }, { "category": "Payload delivery", "comment": "Pipe backdoor / rpc helper", "deleted": false, "disable_correlation": false, "timestamp": "1470670062", "to_ids": true, "type": "md5", "uuid": "57a8a4ee-9784-401d-8c39-4aa2950d210f", "value": "46a676ab7f179e511e30dd2dc41bd388" }, { "category": "Payload delivery", "comment": "Pipe backdoor / rpc helper", "deleted": false, "disable_correlation": false, "timestamp": "1470670062", "to_ids": true, "type": "md5", "uuid": "57a8a4ee-0900-4a13-8e90-48b6950d210f", "value": "9f81f59bc58452127884ce513865ed20" }, { "category": "Payload delivery", "comment": "Pipe backdoor / rpc helper", "deleted": false, "disable_correlation": false, "timestamp": "1470670063", "to_ids": true, "type": "md5", "uuid": "57a8a4ef-9730-4c58-9bc8-4060950d210f", "value": "e710f28d59aa529d6792ca6ff0ca1b34" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670092", "to_ids": true, "type": "md5", "uuid": "57a8a50c-e9e0-45c4-ae0a-429d950d210f", "value": "1f7ddb6752461615ebf0d76bdcc6ab1a" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670092", "to_ids": true, "type": "md5", "uuid": "57a8a50c-8ad4-4ae5-a883-4f34950d210f", "value": "227ea8f8281b75c5cd5f10370997d801" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670092", "to_ids": true, "type": "md5", "uuid": "57a8a50c-c138-441b-a39d-4bda950d210f", "value": "2f704cb6c080024624fc3267f9fdf30e" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670093", "to_ids": true, "type": "md5", "uuid": "57a8a50d-5f30-4aa9-9e0e-40a2950d210f", "value": "501fe625d15b91899cc9f29fdfc19c40" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670093", "to_ids": true, "type": "md5", "uuid": "57a8a50d-e268-4121-8751-4105950d210f", "value": "6296851190e685498955a5b37d277582" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670093", "to_ids": true, "type": "md5", "uuid": "57a8a50d-579c-417b-8e7e-4261950d210f", "value": "6b114168fb117bd870c28c5557f60efe" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670093", "to_ids": true, "type": "md5", "uuid": "57a8a50d-d800-4352-8026-4654950d210f", "value": "7b6fdbd3839642d6ad7786182765d897" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670093", "to_ids": true, "type": "md5", "uuid": "57a8a50d-7b5c-4c34-b329-4455950d210f", "value": "7b8a3bf6fd266593db96eddaa3fae6f9" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670123", "to_ids": true, "type": "md5", "uuid": "57a8a52b-0aa0-4cb4-8d4f-46d0950d210f", "value": "c0dfb68a5de80b3434b04b38a61dbb61" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670123", "to_ids": true, "type": "md5", "uuid": "57a8a52b-4324-4abf-8b2e-40a4950d210f", "value": "bb6aec0cf17839a6bedfb9ddb05a0a6f" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670123", "to_ids": true, "type": "md5", "uuid": "57a8a52b-1d1c-4aa5-be23-4c05950d210f", "value": "c074710482023cd73da9f83438c3839f" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670123", "to_ids": true, "type": "md5", "uuid": "57a8a52b-a2d0-4c63-8ca6-4cf7950d210f", "value": "c3f8f39009c583e2ea0abe2710316d2a" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670123", "to_ids": true, "type": "md5", "uuid": "57a8a52b-fb90-4710-8d3b-4176950d210f", "value": "cf6c049bd7cd9e04cc365b73f3f6098e" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670124", "to_ids": true, "type": "md5", "uuid": "57a8a52c-271c-479c-b476-47b0950d210f", "value": "40f751f2b22208433a1a363550c73c6b" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670124", "to_ids": true, "type": "md5", "uuid": "57a8a52c-bf08-4f46-935f-427b950d210f", "value": "1d9d7d05ab7c68bdc257afb1c086fb88" }, { "category": "Payload delivery", "comment": "Generic pipe backdoors", "deleted": false, "disable_correlation": false, "timestamp": "1470670182", "to_ids": true, "type": "md5", "uuid": "57a8a566-a8a0-44eb-a50c-410b950d210f", "value": "181c84e45abf1b03af0322f571848c2d" }, { "category": "Payload delivery", "comment": "Generic pipe backdoors", "deleted": false, "disable_correlation": false, "timestamp": "1470670182", "to_ids": true, "type": "md5", "uuid": "57a8a566-05c0-4081-9d34-427d950d210f", "value": "2e460fd574e4e4cce518f9bc8fc25547" }, { "category": "Payload delivery", "comment": "Generic pipe backdoors", "deleted": false, "disable_correlation": false, "timestamp": "1470670182", "to_ids": true, "type": "md5", "uuid": "57a8a566-5750-4112-ba32-4117950d210f", "value": "1f6ba85c62d30a69208fe9fb69d601fa" }, { "category": "Payload delivery", "comment": "Null session pipes backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670210", "to_ids": true, "type": "md5", "uuid": "57a8a582-2fb4-4601-886b-4ce3950d210f", "value": "f3b9c454b799e2fe6f09b6170c81ff5c" }, { "category": "Payload delivery", "comment": "Null session pipes backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670210", "to_ids": true, "type": "md5", "uuid": "57a8a582-4128-4dc1-852e-4afb950d210f", "value": "0c12e834187203fbb87d0286de903dab" }, { "category": "Payload delivery", "comment": "Null session pipes backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670211", "to_ids": true, "type": "md5", "uuid": "57a8a583-9f28-4ac4-a229-45f1950d210f", "value": "72b03abb87f25e4d5a5c0e31877a3077" }, { "category": "Payload delivery", "comment": "Null session pipes backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670211", "to_ids": true, "type": "md5", "uuid": "57a8a583-44b8-486f-84de-4ac6950d210f", "value": "76db7e3af9be2dfaa491ec1142599075" }, { "category": "Payload delivery", "comment": "Null session pipes backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670211", "to_ids": true, "type": "md5", "uuid": "57a8a583-0e2c-49a8-a42b-4b9e950d210f", "value": "5d41719eb355fdf06277140da14af03e" }, { "category": "Payload delivery", "comment": "Null session pipes backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670211", "to_ids": true, "type": "md5", "uuid": "57a8a583-522c-4bea-a600-45f2950d210f", "value": "a277f018c2bb7c0051e15a00e214bbf2" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670260", "to_ids": true, "type": "md5", "uuid": "57a8a5b4-4964-4d96-b178-464f950d210f", "value": "0c4a971e028dc2ae91789e08b424a265" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670260", "to_ids": true, "type": "md5", "uuid": "57a8a5b4-7ef0-461d-ab19-498f950d210f", "value": "44c2fa487a1c01f7839b4898cc54495e" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670260", "to_ids": true, "type": "md5", "uuid": "57a8a5b4-8428-4e43-9d16-4d02950d210f", "value": "f01dc49fce3a2ff22b18457b1bf098f8" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670260", "to_ids": true, "type": "md5", "uuid": "57a8a5b4-84b8-4cc3-a65e-4a6b950d210f", "value": "f59813ac7e30a1b0630621e865e3538c" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670261", "to_ids": true, "type": "md5", "uuid": "57a8a5b5-dbd4-4cc0-88d3-47fa950d210f", "value": "ca05d537b46d87ea700860573dd8a093" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670261", "to_ids": true, "type": "md5", "uuid": "57a8a5b5-7838-43bb-b368-4236950d210f", "value": "01ac1cd4064b44cdfa24bf4eb40290e7" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670261", "to_ids": true, "type": "md5", "uuid": "57a8a5b5-bc5c-42bb-9e99-48a2950d210f", "value": "1511f3c455128042f1f6db0c3d13f1ab" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670261", "to_ids": true, "type": "md5", "uuid": "57a8a5b5-ff18-4804-89ba-4408950d210f", "value": "57c48b6f6cf410002503a670f1337a4b" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1470670262", "to_ids": true, "type": "md5", "uuid": "57a8a5b6-8b00-40f5-873c-4a93950d210f", "value": "edb9e045b8dc7bb0b549bdf28e55f3b5" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670309", "to_ids": true, "type": "md5", "uuid": "57a8a5e5-6e74-46f4-b589-4f78950d210f", "value": "71eb97ff9bf70ea8bb1157d54608f8bb" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670309", "to_ids": true, "type": "md5", "uuid": "57a8a5e5-9c80-4be0-b7ba-450e950d210f", "value": "2f49544325e80437b709c3f10e01cb2d" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670309", "to_ids": true, "type": "md5", "uuid": "57a8a5e5-88b8-479f-af85-42d9950d210f", "value": "7261230a43a40bb29227a169c2c8e1be" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670310", "to_ids": true, "type": "md5", "uuid": "57a8a5e6-0f4c-49f7-8d3b-4d21950d210f", "value": "fc77b80755f7189dee1bd74760e62a72" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670310", "to_ids": true, "type": "md5", "uuid": "57a8a5e6-cbcc-4dcb-b545-4eae950d210f", "value": "a5588746a057f4b990e215b415d2d441" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670310", "to_ids": true, "type": "md5", "uuid": "57a8a5e6-ce00-4765-810a-4c45950d210f", "value": "0209541dead744715e359b6c6cb069a2" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670310", "to_ids": true, "type": "md5", "uuid": "57a8a5e6-b174-4bec-a027-4a07950d210f", "value": "fca102a0b39e2e3eddd0fe0a42807417" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670310", "to_ids": true, "type": "md5", "uuid": "57a8a5e6-ab10-4907-a487-441d950d210f", "value": "5373c62d99aff7135a26b2d38870d277" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670311", "to_ids": true, "type": "md5", "uuid": "57a8a5e7-1e14-4154-b889-44e8950d210f", "value": "91bb599cbba4fb1f72e30c09823e35f7" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670311", "to_ids": true, "type": "md5", "uuid": "57a8a5e7-1104-4dfe-94f6-43a1950d210f", "value": "914c669dbaaa27041a0be44f88d9a6bd" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670311", "to_ids": true, "type": "md5", "uuid": "57a8a5e7-79d0-4cce-ae6b-460c950d210f", "value": "c58a90accc1200a7f1e98f7f7aa1b1ae" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670311", "to_ids": true, "type": "md5", "uuid": "57a8a5e7-d4f0-4273-9749-4887950d210f", "value": "63780a1690b922045625ead794696482" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670312", "to_ids": true, "type": "md5", "uuid": "57a8a5e8-d468-4c9f-96e2-4c8e950d210f", "value": "8d02e1eb86b7d1280446628f039c1964" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670312", "to_ids": true, "type": "md5", "uuid": "57a8a5e8-460c-46d1-a8ec-4ec6950d210f", "value": "6ca97b89af29d7eff94a3a60fa7efe0a" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670312", "to_ids": true, "type": "md5", "uuid": "57a8a5e8-ede0-44f3-981e-4d03950d210f", "value": "93c9c50ac339219ee442ec53d31c11a2" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670312", "to_ids": true, "type": "md5", "uuid": "57a8a5e8-e760-4363-8716-4307950d210f", "value": "f7434b5c52426041cc87aa7045f04ec7" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670312", "to_ids": true, "type": "md5", "uuid": "57a8a5e8-0af4-4382-9fc9-4603950d210f", "value": "f936b1c068749fe37ed4a92c9b4cfab6" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670313", "to_ids": true, "type": "md5", "uuid": "57a8a5e9-fdc8-4454-acd1-41c8950d210f", "value": "2054d07ae841fcff6158c7ccf5f14bf2" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS)", "deleted": false, "disable_correlation": false, "timestamp": "1470670313", "to_ids": true, "type": "md5", "uuid": "57a8a5e9-51bc-451d-b486-49b7950d210f", "value": "6cd8311d11dc973e970237e10ed04ad7" }, { "category": "Payload delivery", "comment": "MyTrampoline", "deleted": false, "disable_correlation": false, "timestamp": "1470670327", "to_ids": true, "type": "md5", "uuid": "57a8a5f7-2804-4c51-903e-4165950d210f", "value": "5ddd5294655e9eb3b9b2071dc2e503b1" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670348", "to_ids": true, "type": "md5", "uuid": "57a8a60c-ed58-4a51-8d2e-49f2950d210f", "value": "2a8785bf45f4f03c10cd929bb0685c2d" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670349", "to_ids": true, "type": "md5", "uuid": "57a8a60d-5cc8-41c5-81b2-4187950d210f", "value": "f0e0cbf1498dbf9b8321d11d21c49811" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670349", "to_ids": true, "type": "md5", "uuid": "57a8a60d-eb4c-402a-89e6-4bf4950d210f", "value": "ac8072dfda27f9ea068dcad5712dd893" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670349", "to_ids": true, "type": "md5", "uuid": "57a8a60d-a574-4cba-8963-4429950d210f", "value": "2382a79f9764389acfb4cb4692aa044d" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670350", "to_ids": true, "type": "md5", "uuid": "57a8a60e-1074-4e8e-9638-4307950d210f", "value": "85ea0d79ff015d0b1e09256a880a13ce" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670350", "to_ids": true, "type": "md5", "uuid": "57a8a60e-887c-4551-bb03-475f950d210f", "value": "4728a97e720c564f6e76d0e22c76bae5" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670351", "to_ids": true, "type": "md5", "uuid": "57a8a60f-a2e0-44e1-a9ea-467e950d210f", "value": "b98227f8116133dc8060f2ada986631c" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670351", "to_ids": true, "type": "md5", "uuid": "57a8a60f-53cc-41cc-9cf4-4ab9950d210f", "value": "d2065603ea3538d17b6ce276f64aa7a2" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670352", "to_ids": true, "type": "md5", "uuid": "57a8a610-3670-4531-8cdf-4e4a950d210f", "value": "fcd1a80575f503a5c4c05d4489d78ff9" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670352", "to_ids": true, "type": "md5", "uuid": "57a8a610-d524-4b34-9395-4ee5950d210f", "value": "eb8d5f44924b4df2ce4a70305dc4bd59" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670353", "to_ids": true, "type": "md5", "uuid": "57a8a611-fa80-4e92-85d5-459e950d210f", "value": "17deb723a16856e72dd5c1ba0dae0cc7" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670353", "to_ids": true, "type": "md5", "uuid": "57a8a611-cf14-43e6-8da1-408a950d210f", "value": "b6fe14091359399c4ea572ebf645d2c5" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670354", "to_ids": true, "type": "md5", "uuid": "57a8a612-00b8-4efa-bd7a-4ce2950d210f", "value": "c8c30989a25c0b2918a5bb9fd6025a7a" }, { "category": "Payload delivery", "comment": "Bus manager", "deleted": false, "disable_correlation": false, "timestamp": "1470670354", "to_ids": true, "type": "md5", "uuid": "57a8a612-56f0-4871-8006-43c2950d210f", "value": "814ca3a31122d821cd1e582abf958e8f" }, { "category": "Payload delivery", "comment": "Network Sniffer", "deleted": false, "disable_correlation": false, "timestamp": "1470670378", "to_ids": true, "type": "md5", "uuid": "57a8a62a-6054-489b-b047-41fe950d210f", "value": "951ebe1ee17f61cd2398d8bc0e00b099" }, { "category": "Payload delivery", "comment": "Bus manager - Xchecked via VT: b98227f8116133dc8060f2ada986631c", "deleted": false, "disable_correlation": false, "timestamp": "1470670467", "to_ids": true, "type": "sha256", "uuid": "57a8a683-34ec-4347-b378-444c02de0b81", "value": "7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca" }, { "category": "Payload delivery", "comment": "Bus manager - Xchecked via VT: b98227f8116133dc8060f2ada986631c", "deleted": false, "disable_correlation": false, "timestamp": "1470670467", "to_ids": true, "type": "sha1", "uuid": "57a8a683-f430-48c2-978c-47ca02de0b81", "value": "aa70eaa865f9444dbea03df371d220e1cd79156b" }, { "category": "External analysis", "comment": "Bus manager - Xchecked via VT: b98227f8116133dc8060f2ada986631c", "deleted": false, "disable_correlation": false, "timestamp": "1470670468", "to_ids": false, "type": "link", "uuid": "57a8a684-2248-45f8-92cf-467802de0b81", "value": "https://www.virustotal.com/file/7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca/analysis/1469199571/" }, { "category": "Payload delivery", "comment": "Bus manager - Xchecked via VT: 2a8785bf45f4f03c10cd929bb0685c2d", "deleted": false, "disable_correlation": false, "timestamp": "1470670468", "to_ids": true, "type": "sha256", "uuid": "57a8a684-c348-4d4a-9067-4a6602de0b81", "value": "6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd" }, { "category": "Payload delivery", "comment": "Bus manager - Xchecked via VT: 2a8785bf45f4f03c10cd929bb0685c2d", "deleted": false, "disable_correlation": false, "timestamp": "1470670468", "to_ids": true, "type": "sha1", "uuid": "57a8a684-d100-42bd-9280-48ea02de0b81", "value": "d18792a187d7567f3f31908c05a8b8a2647d365f" }, { "category": "External analysis", "comment": "Bus manager - Xchecked via VT: 2a8785bf45f4f03c10cd929bb0685c2d", "deleted": false, "disable_correlation": false, "timestamp": "1470670469", "to_ids": false, "type": "link", "uuid": "57a8a685-4d20-45fe-ae77-469202de0b81", "value": "https://www.virustotal.com/file/6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd/analysis/1470296379/" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS) - Xchecked via VT: 6cd8311d11dc973e970237e10ed04ad7", "deleted": false, "disable_correlation": false, "timestamp": "1470670469", "to_ids": true, "type": "sha256", "uuid": "57a8a685-acec-426a-9347-4fae02de0b81", "value": "a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS) - Xchecked via VT: 6cd8311d11dc973e970237e10ed04ad7", "deleted": false, "disable_correlation": false, "timestamp": "1470670469", "to_ids": true, "type": "sha1", "uuid": "57a8a685-62ac-425b-a6b6-48a402de0b81", "value": "e13cacb3f1eab730d0def265e7167a4f2ecce9c1" }, { "category": "External analysis", "comment": "Core platform (LUA VFS) - Xchecked via VT: 6cd8311d11dc973e970237e10ed04ad7", "deleted": false, "disable_correlation": false, "timestamp": "1470670470", "to_ids": false, "type": "link", "uuid": "57a8a686-ff9c-49cd-ba0f-4c0202de0b81", "value": "https://www.virustotal.com/file/a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec/analysis/1470448090/" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS) - Xchecked via VT: 7261230a43a40bb29227a169c2c8e1be", "deleted": false, "disable_correlation": false, "timestamp": "1470670470", "to_ids": true, "type": "sha256", "uuid": "57a8a686-2d80-4f84-a87d-437802de0b81", "value": "d737644d612e5051f66fb97a34ec592b3508be06e33f743a2fdb31cdf6bd2718" }, { "category": "Payload delivery", "comment": "Core platform (LUA VFS) - Xchecked via VT: 7261230a43a40bb29227a169c2c8e1be", "deleted": false, "disable_correlation": false, "timestamp": "1470670470", "to_ids": true, "type": "sha1", "uuid": "57a8a686-1b0c-4c9a-b4d2-47ab02de0b81", "value": "1bb7614bb7c3042796c8dc7befdd8042197f222d" }, { "category": "External analysis", "comment": "Core platform (LUA VFS) - Xchecked via VT: 7261230a43a40bb29227a169c2c8e1be", "deleted": false, "disable_correlation": false, "timestamp": "1470670471", "to_ids": false, "type": "link", "uuid": "57a8a687-c41c-4e9a-be4d-40da02de0b81", "value": "https://www.virustotal.com/file/d737644d612e5051f66fb97a34ec592b3508be06e33f743a2fdb31cdf6bd2718/analysis/1470649331/" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor - Xchecked via VT: edb9e045b8dc7bb0b549bdf28e55f3b5", "deleted": false, "disable_correlation": false, "timestamp": "1470670471", "to_ids": true, "type": "sha256", "uuid": "57a8a687-afb0-4346-9e09-453802de0b81", "value": "96c3404dadee72b1f27f6d4fbd567aac84d1fdf64a5168c7ef2464b6c4b86289" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor - Xchecked via VT: edb9e045b8dc7bb0b549bdf28e55f3b5", "deleted": false, "disable_correlation": false, "timestamp": "1470670471", "to_ids": true, "type": "sha1", "uuid": "57a8a687-1704-4209-afa1-441302de0b81", "value": "ad1a9b908602a474ce2039e95b1598f75583eb4d" }, { "category": "External analysis", "comment": "Pipe and internet backdoor - Xchecked via VT: edb9e045b8dc7bb0b549bdf28e55f3b5", "deleted": false, "disable_correlation": false, "timestamp": "1470670471", "to_ids": false, "type": "link", "uuid": "57a8a687-eb9c-46c4-ab81-494902de0b81", "value": "https://www.virustotal.com/file/96c3404dadee72b1f27f6d4fbd567aac84d1fdf64a5168c7ef2464b6c4b86289/analysis/1470649334/" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor - Xchecked via VT: 01ac1cd4064b44cdfa24bf4eb40290e7", "deleted": false, "disable_correlation": false, "timestamp": "1470670471", "to_ids": true, "type": "sha256", "uuid": "57a8a687-e038-4a22-89d3-41b202de0b81", "value": "8e63e579dded54f81ec50ef085929069d30a940ea4afd4f3bf77452f0546a3d3" }, { "category": "Payload delivery", "comment": "Pipe and internet backdoor - Xchecked via VT: 01ac1cd4064b44cdfa24bf4eb40290e7", "deleted": false, "disable_correlation": false, "timestamp": "1470670472", "to_ids": true, "type": "sha1", "uuid": "57a8a688-6df0-4a01-a58f-45d402de0b81", "value": "cc78cea09009e7dfe2f155f24e7968dd69d044a5" }, { "category": "External analysis", "comment": "Pipe and internet backdoor - Xchecked via VT: 01ac1cd4064b44cdfa24bf4eb40290e7", "deleted": false, "disable_correlation": false, "timestamp": "1470670472", "to_ids": false, "type": "link", "uuid": "57a8a688-e6c8-44aa-b015-489502de0b81", "value": "https://www.virustotal.com/file/8e63e579dded54f81ec50ef085929069d30a940ea4afd4f3bf77452f0546a3d3/analysis/1470649332/" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor - Xchecked via VT: 1d9d7d05ab7c68bdc257afb1c086fb88", "deleted": false, "disable_correlation": false, "timestamp": "1470670472", "to_ids": true, "type": "sha256", "uuid": "57a8a688-e528-41ab-8076-4ca602de0b81", "value": "c8f95bf8a76ff124cc1d7a8439beff360d0eb9c0972d42a8684c3bd4e91c6600" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor - Xchecked via VT: 1d9d7d05ab7c68bdc257afb1c086fb88", "deleted": false, "disable_correlation": false, "timestamp": "1470670472", "to_ids": true, "type": "sha1", "uuid": "57a8a688-e504-423f-b5ce-4cc902de0b81", "value": "63b579b9671b45478b42a5f96110c9d4234f7c82" }, { "category": "External analysis", "comment": "Passive sniffer backdoor - Xchecked via VT: 1d9d7d05ab7c68bdc257afb1c086fb88", "deleted": false, "disable_correlation": false, "timestamp": "1470670472", "to_ids": false, "type": "link", "uuid": "57a8a688-b510-4581-a81f-459402de0b81", "value": "https://www.virustotal.com/file/c8f95bf8a76ff124cc1d7a8439beff360d0eb9c0972d42a8684c3bd4e91c6600/analysis/1470653946/" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor - Xchecked via VT: cf6c049bd7cd9e04cc365b73f3f6098e", "deleted": false, "disable_correlation": false, "timestamp": "1470670473", "to_ids": true, "type": "sha256", "uuid": "57a8a689-63e8-495c-832a-423702de0b81", "value": "6b06522f803437d51c15832dbd6b91d8d8b244440b4d2f09bd952f335351b06d" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor - Xchecked via VT: cf6c049bd7cd9e04cc365b73f3f6098e", "deleted": false, "disable_correlation": false, "timestamp": "1470670473", "to_ids": true, "type": "sha1", "uuid": "57a8a689-dde4-4102-9968-455d02de0b81", "value": "90bead07f7c6c92c6ca2b34406c5ea516307ee4e" }, { "category": "External analysis", "comment": "Passive sniffer backdoor - Xchecked via VT: cf6c049bd7cd9e04cc365b73f3f6098e", "deleted": false, "disable_correlation": false, "timestamp": "1470670473", "to_ids": false, "type": "link", "uuid": "57a8a689-beb4-4d52-a184-4d9b02de0b81", "value": "https://www.virustotal.com/file/6b06522f803437d51c15832dbd6b91d8d8b244440b4d2f09bd952f335351b06d/analysis/1470649331/" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor - Xchecked via VT: 7b8a3bf6fd266593db96eddaa3fae6f9", "deleted": false, "disable_correlation": false, "timestamp": "1470670473", "to_ids": true, "type": "sha256", "uuid": "57a8a689-1c2c-4faf-bb9e-424202de0b81", "value": "3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8" }, { "category": "Payload delivery", "comment": "Passive sniffer backdoor - Xchecked via VT: 7b8a3bf6fd266593db96eddaa3fae6f9", "deleted": false, "disable_correlation": false, "timestamp": "1470670473", "to_ids": true, "type": "sha1", "uuid": "57a8a689-0504-4019-b091-453002de0b81", "value": "d18df80316160535aa798303b6f02b6ae8e04388" }, { "category": "External analysis", "comment": "Passive sniffer backdoor - Xchecked via VT: 7b8a3bf6fd266593db96eddaa3fae6f9", "deleted": false, "disable_correlation": false, "timestamp": "1470670474", "to_ids": false, "type": "link", "uuid": "57a8a68a-2e50-4611-bfed-466002de0b81", "value": "https://www.virustotal.com/file/3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8/analysis/1470653929/" }, { "category": "Payload delivery", "comment": "Pipe backdoor / rpc helper - Xchecked via VT: 9f81f59bc58452127884ce513865ed20", "deleted": false, "disable_correlation": false, "timestamp": "1470670474", "to_ids": true, "type": "sha256", "uuid": "57a8a68a-f2d4-453e-907e-479c02de0b81", "value": "720195b07c81e95dab4a1469342bc723938733b3846d7647264f6d0816269380" }, { "category": "Payload delivery", "comment": "Pipe backdoor / rpc helper - Xchecked via VT: 9f81f59bc58452127884ce513865ed20", "deleted": false, "disable_correlation": false, "timestamp": "1470670474", "to_ids": true, "type": "sha1", "uuid": "57a8a68a-dfc0-417f-a182-405d02de0b81", "value": "56ba0ff2554c6f2415654d0e4f7438ea8e0fa7f9" }, { "category": "External analysis", "comment": "Pipe backdoor / rpc helper - Xchecked via VT: 9f81f59bc58452127884ce513865ed20", "deleted": false, "disable_correlation": false, "timestamp": "1470670474", "to_ids": false, "type": "link", "uuid": "57a8a68a-42e4-4460-9b0c-469e02de0b81", "value": "https://www.virustotal.com/file/720195b07c81e95dab4a1469342bc723938733b3846d7647264f6d0816269380/analysis/1470649327/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470670307", "to_ids": false, "type": "link", "uuid": "57a8a5e3-9984-4f4e-97f8-4920950d210f", "value": "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470670308", "to_ids": false, "type": "link", "uuid": "57a8a5e4-a59c-4970-bdb3-46d0950d210f", "value": "https://kas.pr/c9SH" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470670308", "to_ids": false, "type": "link", "uuid": "57a8a5e4-62f4-4031-9887-4710950d210f", "value": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_IOCs_KL.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470670308", "to_ids": false, "type": "link", "uuid": "57a8a5e4-1260-4e62-b71a-41ea950d210f", "value": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470670308", "to_ids": false, "type": "link", "uuid": "57a8a5e4-51f8-4491-82ae-4edb950d210f", "value": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf" } ] } }