{ "Event": { "analysis": "2", "date": "2015-04-03", "extends_uuid": "", "info": "OSINT Additional yara rules for Equation Drug by Florian Roth", "publish_timestamp": "1456150857", "published": true, "threat_level_id": "1", "timestamp": "1428090970", "uuid": "551e7bc4-ed74-4ff2-aef7-1888950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061141", "to_ids": false, "type": "text", "uuid": "551e7bd5-a208-44a8-9173-1a0e950d210b", "value": "Equation Drug" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061168", "to_ids": false, "type": "link", "uuid": "551e7bf0-2c14-45cb-8ef2-1879950d210b", "value": "https://github.com/Neo23x0/Loki/blob/master/signatures/spy_equation_fiveeyes.yar" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061168", "to_ids": false, "type": "link", "uuid": "551e7bf0-d148-470e-8c28-1879950d210b", "value": "https://github.com/Neo23x0/Loki/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061223", "to_ids": false, "type": "link", "uuid": "551e7c27-fa3c-4646-a4b1-948e950d210b", "value": "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061245", "to_ids": false, "type": "text", "uuid": "551e7c3d-1d24-422b-996f-9144950d210b", "value": "EquationGroup" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061245", "to_ids": false, "type": "text", "uuid": "551e7c3d-09e4-4a83-ab3a-9144950d210b", "value": "Equation Group" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061266", "to_ids": true, "type": "yara", "uuid": "551e7c52-33e8-448c-9e48-13b6950d210b", "value": "rule EquationDrug_NetworkSniffer1 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"26e787997a338d8111d96c9a4c103cf8ff0201ce\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s3 = \"sys\\\\mstcp32.dbg\" fullword ascii\r\n\t\t$s7 = \"mstcp32.sys\" fullword wide\r\n\t\t$s8 = \"p32.sys\" fullword ascii\r\n\t\t$s9 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s10 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s11 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061280", "to_ids": true, "type": "yara", "uuid": "551e7c60-0274-44b9-b508-1888950d210b", "value": "rule EquationDrug_CompatLayer_UnilayDLL {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Unilay.DLL\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"a3a31937956f161beba8acac35b96cb74241cd0f\"\r\n\tstrings:\r\n\t\t$mz = { 4d 5a }\r\n\t\t$s0 = \"unilay.dll\" fullword ascii\r\n\tcondition:\r\n\t\t( $mz at 0 ) and $s0\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061293", "to_ids": true, "type": "yara", "uuid": "551e7c6d-def0-43c3-86fb-7455950d210b", "value": "rule EquationDrug_HDDSSD_Op {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - HDD/SSD firmware operation - nls_933w.dll\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"ff2b50f371eb26f22eb8a2118e9ab0e015081500\"\r\n\tstrings:\r\n\t\t$s0 = \"nls_933w.dll\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061309", "to_ids": true, "type": "yara", "uuid": "551e7c7d-cce8-4854-8048-948e950d210b", "value": "rule EquationDrug_NetworkSniffer2 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network Sniffer - tdip.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"7e3cd36875c0e5ccb076eb74855d627ae8d4627f\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"IP Transport Driver\" fullword wide\r\n\t\t$s2 = \"tdip.sys\" fullword wide\r\n\t\t$s3 = \"sys\\\\tdip.dbg\" fullword ascii\r\n\t\t$s4 = \"dip.sys\" fullword ascii\r\n\t\t$s5 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s6 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s7 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061329", "to_ids": true, "type": "yara", "uuid": "551e7c91-544c-4776-95f9-0d4d950d210b", "value": "rule EquationDrug_NetworkSniffer3 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network Sniffer - tdip.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"14599516381a9646cd978cf962c4f92386371040\"\r\n\tstrings:\r\n\t\t$s0 = \"Corporation. All rights reserved.\" fullword wide\r\n\t\t$s1 = \"IP Transport Driver\" fullword wide\r\n\t\t$s2 = \"tdip.sys\" fullword wide\r\n\t\t$s3 = \"tdip.pdb\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061349", "to_ids": true, "type": "yara", "uuid": "551e7ca5-b9a4-4ef2-84f1-9144950d210b", "value": "rule EquationDrug_VolRec_Driver {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Collector plugin for Volrec - msrstd.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"ee2b504ad502dc3fed62d6483d93d9b1221cdd6c\"\r\n\tstrings:\r\n\t\t$s0 = \"msrstd.sys\" fullword wide\r\n\t\t$s1 = \"msrstd.pdb\" fullword ascii\r\n\t\t$s2 = \"msrstd driver\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061365", "to_ids": true, "type": "yara", "uuid": "551e7cb5-5f8c-45d5-be4b-4dc2950d210b", "value": "rule EquationDrug_KernelRootkit {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"597715224249e9fb77dc733b2e4d507f0cc41af6\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"Parmsndsrv.dbg\" fullword ascii\r\n\t\t$s2 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s3 = \"msndsrv.sys\" fullword wide\r\n\t\t$s5 = \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Windows\" fullword wide\r\n\t\t$s6 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s7 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s9 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061381", "to_ids": true, "type": "yara", "uuid": "551e7cc5-36b8-465f-bc94-8c54950d210b", "value": "rule EquationDrug_Keylogger {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Key/clipboard logger driver - msrtvd.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"b93aa17b19575a6e4962d224c5801fb78e9a7bb5\"\r\n\tstrings:\r\n\t\t$s0 = \"\\\\registry\\\\machine\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\" fullword wide\r\n\t\t$s2 = \"\\\\registry\\\\machine\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Session Manager\\\\En\" wide\r\n\t\t$s3 = \"\\\\DosDevices\\\\Gk\" fullword wide\r\n\t\t$s5 = \"\\\\Device\\\\Gk0\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061401", "to_ids": true, "type": "yara", "uuid": "551e7cd9-b65c-4be1-959b-13b6950d210b", "value": "rule EquationDrug_NetworkSniffer4 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network-sniffer/patcher - atmdkdrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"cace40965f8600a24a2457f7792efba3bd84d9ba\"\r\n\tstrings:\r\n\t\t$s0 = \"Copyright 1999 RAVISENT Technologies Inc.\" fullword wide\r\n\t\t$s1 = \"\\\\systemroot\\\\\" fullword ascii\r\n\t\t$s2 = \"RAVISENT Technologies Inc.\" fullword wide\r\n\t\t$s3 = \"Created by VIONA Development\" fullword wide\r\n\t\t$s4 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s5 = \"\\\\device\\\\harddiskvolume\" fullword wide\r\n\t\t$s7 = \"ATMDKDRV.SYS\" fullword wide\r\n\t\t$s8 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s9 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s10 = \"CineMaster C 1.1 WDM Main Driver\" fullword wide\r\n\t\t$s11 = \"\\\\Device\\\\%ws\" fullword wide\r\n\t\t$s13 = \"CineMaster C 1.1 WDM\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061417", "to_ids": true, "type": "yara", "uuid": "551e7ce9-b7c0-4bf8-97c3-948e950d210b", "value": "rule EquationDrug_PlatformOrchestrator {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"febc4f30786db7804008dc9bc1cebdc26993e240\"\r\n\tstrings:\r\n\t\t$s0 = \"SERVICES.EXE\" fullword wide\r\n\t\t$s1 = \"\\\\command.com\" fullword wide\r\n\t\t$s2 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s3 = \"LSASS.EXE\" fullword wide\r\n\t\t$s4 = \"Windows Configuration Services\" fullword wide\r\n\t\t$s8 = \"unilay.dll\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061437", "to_ids": true, "type": "yara", "uuid": "551e7cfd-bd28-489c-a56a-7455950d210b", "value": "rule EquationDrug_NetworkSniffer5 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network-sniffer/patcher - atmdkdrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"09399b9bd600d4516db37307a457bc55eedcbd17\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s2 = \"atmdkdrv.sys\" fullword wide\r\n\t\t$s4 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s5 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s6 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061452", "to_ids": true, "type": "yara", "uuid": "551e7d0c-9254-4e05-8fb7-13b6950d210b", "value": "rule EquationDrug_FileSystem_Filter {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Filesystem filter driver \u00e2\u20ac\u201c volrec.sys, scsi2mgr.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"57fa4a1abbf39f4899ea76543ebd3688dcc11e13\"\r\n\tstrings:\r\n\t\t$s0 = \"volrec.sys\" fullword wide\r\n\t\t$s1 = \"volrec.pdb\" fullword ascii\r\n\t\t$s2 = \"Volume recognizer driver\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061599", "to_ids": true, "type": "sha1", "uuid": "551e7d9f-449c-4b11-b116-1a0e950d210b", "value": "26e787997a338d8111d96c9a4c103cf8ff0201ce" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061599", "to_ids": true, "type": "sha1", "uuid": "551e7d9f-90b4-495d-a76f-1a0e950d210b", "value": "a3a31937956f161beba8acac35b96cb74241cd0f" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061599", "to_ids": true, "type": "sha1", "uuid": "551e7d9f-e820-4991-a88b-1a0e950d210b", "value": "ff2b50f371eb26f22eb8a2118e9ab0e015081500" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061600", "to_ids": true, "type": "sha1", "uuid": "551e7da0-6554-48c1-9789-1a0e950d210b", "value": "7e3cd36875c0e5ccb076eb74855d627ae8d4627f" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061600", "to_ids": true, "type": "sha1", "uuid": "551e7da0-2538-4b10-9773-1a0e950d210b", "value": "14599516381a9646cd978cf962c4f92386371040" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061600", "to_ids": true, "type": "sha1", "uuid": "551e7da0-ed30-41a0-b60e-1a0e950d210b", "value": "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061600", "to_ids": true, "type": "sha1", "uuid": "551e7da0-fa2c-4124-bc52-1a0e950d210b", "value": "597715224249e9fb77dc733b2e4d507f0cc41af6" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061600", "to_ids": true, "type": "sha1", "uuid": "551e7da0-e87c-460b-8a4d-1a0e950d210b", "value": "b93aa17b19575a6e4962d224c5801fb78e9a7bb5" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061600", "to_ids": true, "type": "sha1", "uuid": "551e7da0-cb54-4d83-bd6f-1a0e950d210b", "value": "cace40965f8600a24a2457f7792efba3bd84d9ba" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061600", "to_ids": true, "type": "sha1", "uuid": "551e7da0-5eb4-4489-98a0-1a0e950d210b", "value": "febc4f30786db7804008dc9bc1cebdc26993e240" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061600", "to_ids": true, "type": "sha1", "uuid": "551e7da0-5a10-440a-a4ce-1a0e950d210b", "value": "09399b9bd600d4516db37307a457bc55eedcbd17" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1428061600", "to_ids": true, "type": "sha1", "uuid": "551e7da0-b430-43bf-b5fa-1a0e950d210b", "value": "57fa4a1abbf39f4899ea76543ebd3688dcc11e13" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 26e787997a338d8111d96c9a4c103cf8ff0201ce)", "deleted": false, "disable_correlation": false, "timestamp": "1455839505", "to_ids": true, "type": "md5", "uuid": "56c65911-1c7c-4ca9-860f-59a1950d210f", "value": "74de13b5ea68b3da24addc009f84baee" }, { "category": "Artifacts dropped", "comment": "Automatically added (via a3a31937956f161beba8acac35b96cb74241cd0f)", "deleted": false, "disable_correlation": false, "timestamp": "1455839507", "to_ids": true, "type": "md5", "uuid": "56c65913-45f0-437c-afe4-59a2950d210f", "value": "ef4405930e6071ae1f7f6fa7d4f3397d" }, { "category": "Artifacts dropped", "comment": "Automatically added (via ff2b50f371eb26f22eb8a2118e9ab0e015081500)", "deleted": false, "disable_correlation": false, "timestamp": "1455839509", "to_ids": true, "type": "md5", "uuid": "56c65915-1a88-47c3-a14f-59a4950d210f", "value": "11fb08b9126cdb4668b3f5135cf7a6c5" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 7e3cd36875c0e5ccb076eb74855d627ae8d4627f)", "deleted": false, "disable_correlation": false, "timestamp": "1455839511", "to_ids": true, "type": "md5", "uuid": "56c65917-cb64-415e-a117-599e950d210f", "value": "20506375665a6a62f7d9dd22d1cc9870" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 14599516381a9646cd978cf962c4f92386371040)", "deleted": false, "disable_correlation": false, "timestamp": "1455839513", "to_ids": true, "type": "md5", "uuid": "56c65919-a364-49c2-8632-c650950d210f", "value": "60dab5bb319281747c5863b44c5ac60d" }, { "category": "Artifacts dropped", "comment": "Automatically added (via ee2b504ad502dc3fed62d6483d93d9b1221cdd6c)", "deleted": false, "disable_correlation": false, "timestamp": "1455839515", "to_ids": true, "type": "md5", "uuid": "56c6591b-ec0c-4ef9-a84c-599d950d210f", "value": "15d39578460e878dd89e8911180494ff" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 597715224249e9fb77dc733b2e4d507f0cc41af6)", "deleted": false, "disable_correlation": false, "timestamp": "1455839517", "to_ids": true, "type": "md5", "uuid": "56c6591d-a640-4716-8bf4-5f51950d210f", "value": "c4f8671c1f00dab30f5f88d684af1927" }, { "category": "Artifacts dropped", "comment": "Automatically added (via b93aa17b19575a6e4962d224c5801fb78e9a7bb5)", "deleted": false, "disable_correlation": false, "timestamp": "1455839519", "to_ids": true, "type": "md5", "uuid": "56c6591f-28dc-40be-9925-c654950d210f", "value": "f6bf3ed3bcd466e5fd1cbaf6ba658716" }, { "category": "Artifacts dropped", "comment": "Automatically added (via cace40965f8600a24a2457f7792efba3bd84d9ba)", "deleted": false, "disable_correlation": false, "timestamp": "1455839521", "to_ids": true, "type": "md5", "uuid": "56c65921-3ee8-4e94-b03a-c651950d210f", "value": "214f7a2c95bdc265888fbcd24e3587da" }, { "category": "Artifacts dropped", "comment": "Automatically added (via febc4f30786db7804008dc9bc1cebdc26993e240)", "deleted": false, "disable_correlation": false, "timestamp": "1455839522", "to_ids": true, "type": "md5", "uuid": "56c65922-3ac8-4f0c-b172-432f950d210f", "value": "5767b9d851d0c24e13eca1bfd16ea424" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 09399b9bd600d4516db37307a457bc55eedcbd17)", "deleted": false, "disable_correlation": false, "timestamp": "1455839524", "to_ids": true, "type": "md5", "uuid": "56c65924-bc08-4ddc-b84a-c653950d210f", "value": "8d87a1845122bf090b3d8656dc9d60a8" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 57fa4a1abbf39f4899ea76543ebd3688dcc11e13)", "deleted": false, "disable_correlation": false, "timestamp": "1455839527", "to_ids": true, "type": "md5", "uuid": "56c65927-6c14-408b-81bb-599c950d210f", "value": "c17e16a54916d3838f63d208ebab9879" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 26e787997a338d8111d96c9a4c103cf8ff0201ce)", "deleted": false, "disable_correlation": false, "timestamp": "1455839506", "to_ids": true, "type": "sha256", "uuid": "56c65912-dab8-4b67-aa47-5f51950d210f", "value": "26215bc56dc31d2466d72f1f4e1b6388e62606e9949bc41c28968fcb9a9d60a6" }, { "category": "Artifacts dropped", "comment": "Automatically added (via a3a31937956f161beba8acac35b96cb74241cd0f)", "deleted": false, "disable_correlation": false, "timestamp": "1455839508", "to_ids": true, "type": "sha256", "uuid": "56c65914-4cb0-4ff7-84e0-c653950d210f", "value": "1c376452b451e05363dd39c56994bd3414e02ffecf89dbc40461eb6e2fe9e51e" }, { "category": "Artifacts dropped", "comment": "Automatically added (via ff2b50f371eb26f22eb8a2118e9ab0e015081500)", "deleted": false, "disable_correlation": false, "timestamp": "1455839510", "to_ids": true, "type": "sha256", "uuid": "56c65916-6540-4e43-a359-4dfb950d210f", "value": "83d14ce2dcfc852791d20cd78066ba5a2b39eb503e12e33f2ef0b1a46c68de73" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 7e3cd36875c0e5ccb076eb74855d627ae8d4627f)", "deleted": false, "disable_correlation": false, "timestamp": "1455839512", "to_ids": true, "type": "sha256", "uuid": "56c65918-64ac-4501-bbe1-5f51950d210f", "value": "a5ec4d102d802ada7c5083af53fd9d3c9b5aa83be9de58dbb4fac7876faf6d29" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 14599516381a9646cd978cf962c4f92386371040)", "deleted": false, "disable_correlation": false, "timestamp": "1455839514", "to_ids": true, "type": "sha256", "uuid": "56c6591a-e1f0-4015-a784-c651950d210f", "value": "318bb5ca29ac1f647f78a5cf1124d6849fadf52e5bc7193fa05922d36a8db4e5" }, { "category": "Artifacts dropped", "comment": "Automatically added (via ee2b504ad502dc3fed62d6483d93d9b1221cdd6c)", "deleted": false, "disable_correlation": false, "timestamp": "1455839515", "to_ids": true, "type": "sha256", "uuid": "56c6591b-0f40-4f75-819b-4aed950d210f", "value": "c3f92c8b2b11c170879fafa29b698d76a5ea4ed37e01674848c63a911d76bece" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 597715224249e9fb77dc733b2e4d507f0cc41af6)", "deleted": false, "disable_correlation": false, "timestamp": "1455839518", "to_ids": true, "type": "sha256", "uuid": "56c6591e-7c58-4732-8dcf-c650950d210f", "value": "9f1b82e6c2e9760284c53c5377a054d6cfcb2bd5e36329e0f7c395aa02d79d0d" }, { "category": "Artifacts dropped", "comment": "Automatically added (via b93aa17b19575a6e4962d224c5801fb78e9a7bb5)", "deleted": false, "disable_correlation": false, "timestamp": "1455839520", "to_ids": true, "type": "sha256", "uuid": "56c65920-d184-482b-99e8-59a3950d210f", "value": "63a3b1d2e234481bcee6d95ff8e4d7ebf1967009e32fda35a675bffbd8e4c4aa" }, { "category": "Artifacts dropped", "comment": "Automatically added (via cace40965f8600a24a2457f7792efba3bd84d9ba)", "deleted": false, "disable_correlation": false, "timestamp": "1455839522", "to_ids": true, "type": "sha256", "uuid": "56c65922-8c08-40ea-b58c-599f950d210f", "value": "d0a4b7d09d36459b07552c0269eeed450fb016a1192088bfb13cf50fba7f92cf" }, { "category": "Artifacts dropped", "comment": "Automatically added (via febc4f30786db7804008dc9bc1cebdc26993e240)", "deleted": false, "disable_correlation": false, "timestamp": "1455839523", "to_ids": true, "type": "sha256", "uuid": "56c65923-7868-4115-8eaf-49ed950d210f", "value": "9df733c565cf3c98878911af11ff17f8788c06e56466db6eaab81f8fa80344e4" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 09399b9bd600d4516db37307a457bc55eedcbd17)", "deleted": false, "disable_correlation": false, "timestamp": "1455839525", "to_ids": true, "type": "sha256", "uuid": "56c65925-b8b8-4f8c-9be2-5f51950d210f", "value": "897489999ff2c360678cdba9a40a6613fc042f346ccfb325fdc0fa46ac42d00e" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 57fa4a1abbf39f4899ea76543ebd3688dcc11e13)", "deleted": false, "disable_correlation": false, "timestamp": "1455839528", "to_ids": true, "type": "sha256", "uuid": "56c65928-b2d8-4247-924b-59a4950d210f", "value": "355e5643c5a04c18d831b942ef65a21d1cdb1d93ea328b0203a38876cef3f93e" } ] } }