schemas.v1.2.0.samples.APT1.Appendix_G_IOCs_Full.xml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
<?xml version="1.0" encoding="UTF-8"?> <!-- APT1: Exposing One of China's Cyber Espionage Units (the "APT1 Report") is copyright 2013 by Mandiant Corporation and can be downloaded at intelreport.mandiant.com. This XML file using the STIX standard was created by The MITRE Corporation using the content of the APT1 Report with Mandiant's permission. Mandiant is not responsible for the content of this file. This document was developed against STIX 1.2 and CybOX 2.1 using automated transforms from OpenIOC 2010. It is intended for demonstration purposes only and no guarantee is made to the accuracy or completeness of the information. This document was automatically generated using an OpenIOC -> STIX/CybOX conversion tool. It takes each IOC definition and converts it into a single STIX Indicator with associated Name and Description (from the IOC). It includes the IOC itself as a Test_Mechanism for the indicator and also includes CybOX Observables (automatically converted from the IOC definition). The CybOX Observable conversion in particular should be considered lossy due to limitations in the conversion utility: while CybOX 2.1 supports a superset of OpenIOC 2010, the conversion utility does not support all OpenIOC content. We anticipate further development of the conversion tool could create a full, lossless conversion from OpenIOC 2010 to CybOX 2.1. --> <stix:STIX_Package id="mandiant:package-190593d6-1861-4cfe-b212-c016fce1e248" version="1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:report="http://stix.mitre.org/Report-1" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:ttp="http://stix.mitre.org/TTP-1" xmlns:marking="http://data-marking.mitre.org/Marking-1" xmlns:terms="http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1" xmlns:openiocTM="http://stix.mitre.org/extensions/TestMechanism#OpenIOC2010-1" xmlns:mandiant="http://www.mandiant.com" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:WinServiceObj="http://cybox.mitre.org/objects#WinServiceObject-2" xmlns:WinProcessObj="http://cybox.mitre.org/objects#WinProcessObject-2" xmlns:WinExecutableFileObj="http://cybox.mitre.org/objects#WinExecutableFileObject-2" xmlns:WinRegistryKeyObj="http://cybox.mitre.org/objects#WinRegistryKeyObject-2" xmlns:WinHandleObj="http://cybox.mitre.org/objects#WinHandleObject-2" xmlns:ProcessObj="http://cybox.mitre.org/objects#ProcessObject-2" xmlns:WinDriverObj="http://cybox.mitre.org/objects#WinDriverObject-3" xsi:schemaLocation=" http://stix.mitre.org/stix-1 ../../stix_core.xsd http://stix.mitre.org/Report-1 ../../report.xsd http://stix.mitre.org/default_vocabularies-1 ../../stix_default_vocabularies.xsd http://stix.mitre.org/common-1 ../../stix_common.xsd http://cybox.mitre.org/cybox-2 ../../cybox/cybox_core.xsd http://cybox.mitre.org/common-2 ../../cybox/cybox_common.xsd http://cybox.mitre.org/default_vocabularies-2 ../../cybox/cybox_default_vocabularies.xsd http://stix.mitre.org/Indicator-2 ../../indicator.xsd http://stix.mitre.org/TTP-1 ../../ttp.xsd http://data-marking.mitre.org/Marking-1 ../../data_marking.xsd http://data-marking.mitre.org/extensions/MarkingStructure#Terms_Of_Use-1 ../../extensions/marking/terms_of_use_marking.xsd http://cybox.mitre.org/objects#FileObject-2 ../../cybox/objects/File_Object.xsd http://cybox.mitre.org/objects#WinServiceObject-2 ../../cybox/objects/Win_Service_Object.xsd http://cybox.mitre.org/objects#WinProcessObject-2 ../../cybox/objects/Win_Process_Object.xsd http://cybox.mitre.org/objects#WinExecutableFileObject-2 ../../cybox/objects/Win_Executable_File_Object.xsd http://cybox.mitre.org/objects#WinRegistryKeyObject-2 ../../cybox/objects/Win_Registry_Key_Object.xsd http://cybox.mitre.org/objects#WinHandleObject-2 ../../cybox/objects/Win_Handle_Object.xsd http://cybox.mitre.org/objects#ProcessObject-2 ../../cybox/objects/Process_Object.xsd http://cybox.mitre.org/objects#WinDriverObject-2 ../../cybox/objects/Win_Driver_Object.xsd http://stix.mitre.org/extensions/Test_Mechanism#OpenIOC2010-1 ../../extensions/test_mechanism/open_ioc_2010_test_mechanism.xsd "> <stix:STIX_Header> <stix:Handling> <marking:Marking xmlns="http://data-marking.mitre.org"> <marking:Controlled_Structure>//node() | //@*</marking:Controlled_Structure> <marking:Marking_Structure xsi:type="terms:TermsOfUseMarkingStructureType"> <terms:Terms_Of_Use>APT1: Exposing One of China's Cyber Espionage Units (the "APT1 Report") is copyright 2013 by Mandiant Corporation and can be downloaded at intelreport.mandiant.com. This XML file using the STIX standard was created by The MITRE Corporation using the content of the APT1 Report with Mandiant's permission. Mandiant is not responsible for the content of this file.</terms:Terms_Of_Use> </marking:Marking_Structure> </marking:Marking> </stix:Handling> <stix:Information_Source> <stixCommon:Identity> <stixCommon:Name>MITRE</stixCommon:Name> </stixCommon:Identity> <stixCommon:Role xsi:type="stixVocabs:InformationSourceRoleVocab-1.0">Transformer/Translator</stixCommon:Role> <stixCommon:Contributing_Sources> <stixCommon:Source> <stixCommon:Identity> <stixCommon:Name>Mandiant</stixCommon:Name> </stixCommon:Identity> <stixCommon:Role xsi:type="stixVocabs:InformationSourceRoleVocab-1.0">Initial Author</stixCommon:Role> <stixCommon:Time> <cyboxCommon:Produced_Time precision="day">2013-02-19T00:00:00Z</cyboxCommon:Produced_Time> </stixCommon:Time> </stixCommon:Source> </stixCommon:Contributing_Sources> <stixCommon:Time> <cyboxCommon:Produced_Time precision="day">2014-01-16T00:00:00Z</cyboxCommon:Produced_Time> </stixCommon:Time> <stixCommon:References> <stixCommon:Reference>http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf</stixCommon:Reference> </stixCommon:References> </stix:Information_Source> </stix:STIX_Header> <stix:Observables cybox_major_version="2" cybox_minor_version="1"> <cybox:Observable id="mandiant:observable-b7013416-7e77-4078-a0bd-a33b49c7cb2f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b305b543da332a2fcf6e1ce55ed2ea79</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-749eea4e-2812-4b4d-bba9-4292bedc05a2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>23e371b816bab10cd9cfc4a46154022c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2d244ba9-73e0-4270-96aa-64f1c8935d27"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5e17055c51724b0b89ff036d02f5208a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-41207254-a9d7-4b95-9080-a4d8905d2fd5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e62dadb2856c099a066713883bc12788</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df3e85c7-82a9-4032-b860-03c5e891d3b0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>gdocs.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-da666dfb-6d51-4374-b0b0-3a896d06f3dc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>hotmail.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-94ab92ad-b5e9-4ebe-bd9f-125b97511e7a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>hotmail.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7ff03fbe-0077-44dc-b1a3-fa9771b3302a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>sg.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-266e75ec-5639-4d5d-b094-c59173a61b13"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-30d852eb-43c9-4ab4-b602-ae7fd7636216"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-995a7833-1780-4b17-b5fa-944f6d8f51b1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>104448</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-af887012-42d2-4a98-9c91-91fa99f5986a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>104449</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fccec804-ae93-4ea1-9cc6-8795523b7ec6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>98304</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cbf27d57-cf18-40b5-a706-8501083e46ae"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>113664</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3cfaf45b-31a1-4f1e-a690-09f132e5c612"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-18T02:41:49Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c39b79ba-460e-4619-bf49-73a4a81e256d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-07-29T00:57:16Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-300bc2bd-1cdc-4c94-90e0-54bba1f9bbae"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-31T03:16:31Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e1ec420f-4c61-480d-99ef-dca3254fb0a2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>05552a77620933dd80f1e176736f8fe7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-20ac1c71-1cd4-4e0b-8001-80fc3e3fac96"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>079028d315d039da0ffec2728b2c9ef6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e9eb511-73b2-485f-9b1b-991bc4313913"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>07c4032f24ae44614676fbdfe539afe0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-772dc61f-ba08-498e-b2de-a2b98f5b08c5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0c5e9f564115bfcbee66377a829de55f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c8991eaa-9d25-4658-8d95-dd02938d5b90"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0f23d5b93c30681655d8a4258b8de129</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4508d1fa-2def-4e7b-aef0-2335da307d42"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0ff20d023d6b54661d66fb3ce09afe3c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d781ac40-1769-4f52-b3c5-bf744801c2ff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>120c2e085992ff59a21ba401ec29fec9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3349f01e-f085-410f-a055-dbcf0d4d62ec"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>150c4c1f589c4baa794160276a3d4aba</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a51dbcf4-a440-4957-8dfb-ab407283f7bf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ce4605e771a04e375e0d1083f183e8e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e7dc9205-07d0-4007-980b-5aadb24c9c9c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ede2c69d50e0efbe23f758d902216e0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-be3334f5-8e3f-41d2-b240-d454b901915b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1f92ff8711716ca795fbd81c477e45f5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5c39a66-9c50-4f6e-824f-087289bce12e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1fb4ce2e56ced51ddf1edff8ed15c21b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c7102c3d-c443-41f6-8613-32a8d0971c84"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>286f48dda20e2ccc3250a6e09a130db1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-26a44cdc-4243-4e9c-ace8-5377aec75419"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2bdc196cdac4478ae325c94bab433732</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-decf5fd1-bb0a-4520-aa86-775963a75eb3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2fae9efa753d3d821e1efdbc1335b966</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3199552-d951-4538-8438-a0b1dfac9924"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>30e78d186b27d2023a2a7319bb679c3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-33314588-1d58-4e2e-8125-d19bbdad8a23"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3364813bcbd111fc5ec1e4265c533506</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2fd9d81c-477d-488f-b431-80547d6d9837"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>341f5e7215826d07ada1ed2b96264c0d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-473e0cbd-617c-49a8-9703-f25760a24d4b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>36c0d3f109aede4d76b05431f8a64f9e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-613cdf6d-f9ad-49d6-a945-657873891371"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>370c50aea66cc338b37801e1bd1c244f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1158e81e-fd49-4a75-9f74-fcd2a96dc841"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>390d1f2a620912104f53c034c8aef14b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-64c5cd50-f681-41ee-a85e-1395938d2f4f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e69945e5865ccc861f69b24bc1166b6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6641cfcb-3e4b-4466-aec8-0bd4422748e3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e6ed3ee47bce9946e2541332cb34c69</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-538aa92b-e73d-497f-8fe5-b5b60897782f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3fb8f4cdcb4d1d48be2e473fd8727239</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-64d2746e-a20b-4fae-af67-06e8221ea112"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>41bb847963a8fce70ad21e70dd786107</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-77f946d9-bd9f-49aa-bd2b-9891b55b6adb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>435991e0c67f0c0b4504355b6d4493f0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2ec17dff-0a4b-4404-bfb9-5513d655a047"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>46c36c11238100e155f6d418332869ea</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9a7022fc-e399-4a93-91dd-9714edabc42f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>471005f73280264c48f769e1c21fbcc1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dae02941-49da-4a9f-b1a6-217aa976d3b4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4d21cc82e4031e1d6bb15541827b9e67</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5bd1bbcc-1397-4088-808e-7fee1ed4554d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>543c283d691939d99667e22bcb7be610</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8a846b7-9862-4fb2-ae26-0092fd74545f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>55f60194833efcbc8ac16bd0a1cced1a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-34c94390-75ac-4859-9caf-bf021e9ed0ce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>55fb1409170c91740359d1d96364f17b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb05e832-320d-484c-984e-7c9004b71ab1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>57e79f7df13c0cb01910d0c688fcd296</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-23166621-b363-4d13-8d2a-36848bbf62ef"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>58b020fd3bc0d34e8c4eaf0a3f3135af</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-18f011f0-f745-4a17-9489-4b313b78430c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5aeaa53340a281074fcb539967438e3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-32d9d3e3-247a-4814-871c-a2babb11470d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5cd578614afb50b925008b68b3accdb9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-275c7cf8-3fec-4250-8321-44beaf6fd69a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5cf0959687427850a92d7f69edd41b86</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f2e40fe-a821-4e2d-84a5-4b76a184012e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5e42780f52763c77d592044e535e4b01</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-06c9e45a-f169-42a1-9b13-897af75de113"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5f837bbfd3b458321070e2aebca4ec46</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8d300eb0-cb97-4330-93dc-843a8cc7e2aa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6570163cd34454b3d1476c134d44b9d9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aef94cef-dc4e-4b2a-8225-9d95136bc755"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>68c67a6e26855ebc2569d67689c69a6e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5023dbc8-9694-4991-82f6-45fe4d5540ca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6d2320af561b2315c1241e3efd86067f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f0444f6b-c0d5-4260-b3a3-c9c68e4af739"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6fdec862951e8b128cd7a07b2031eef6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d525d2c9-f65c-4758-9f9e-af6b0d579663"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7388d67561d0a7989202ad4d37eff24f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2ac47a09-7e4b-4ac4-bb5c-7d52464884d7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>75ff4bd6b209b6f10472c4cd22e3f9e6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cac4805b-02ec-4cb2-b858-3b27d38cb682"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7bfeb0eaa1c51513e60bc0abafb1be9f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28a1d405-9c3f-4d9f-aa23-6de71d4bc41e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7bfeb0eaa1c51513e60bc0abafb1be9f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6197cea2-6385-465b-9fcd-78bebdc39af2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7c82cd17b0fa420f09f97e060621ed7b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-47d34f53-7514-4df6-b7c4-2e668fe5e25b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8454918f639a1b0719e00627f211d2ed</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8998f977-7229-4133-93fa-199947f79e15"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>86dd715a8d28788e68a575207d66df34</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b27d81e7-e6f1-46ad-b4ec-ecca558965b8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>871cc547feb9dbec0285321068e392b8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-70082008-096d-40ca-8c83-e14beffe88f5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8725870a43192cb0176c82012996910a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-50006157-6205-472e-afd6-9efebcd100ad"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>88b5f635ac9031bcdeda1f751952f966</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4477fab7-4163-4af1-ad10-3fc91bd3b4c2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8913ac72cdb8afd98bd8446896e1595a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-38b1e400-a382-465d-96dc-1dfab9c6b6b1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8a7764ded8467bd0fd0c30adc2acc1d4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3a96f94b-5379-4a81-b5f9-fa09afcc08a1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8dfbf8a46d3a302fd420305918e9414d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a940ca1-edde-4409-b21a-ce7fb46b077e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8e1ec7e556b8c6612b6c34e310c50b66</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9e80350c-058f-461b-9064-61af37e28f8c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8f3d20c983f9d82a8ff17466f45ee757</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-96232b18-df03-4e8b-86ea-204500bb30ca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8f4863b4dfb52d8362c031d3720a6d97</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3baabbac-2dce-450c-9330-321c727d4fce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>91deceb64c795927c6ea07f695f67334</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-516da75b-a9ce-40dc-8d9c-f45672885599"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>91f538c08b9dee1bb0c6b6c82f727c5d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-afd2f86b-3c67-4203-aa53-06f3e7387abf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>95d85aa629a786bb67439a064c4349ec</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c6fcda16-4d86-41f5-86a2-2e4ad40641f5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>98d257a13d176940910d6441a854d7a4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-30cdb260-0f62-4ded-9ba2-19e9c518c9d5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9e511dc5ad8a884f4416e68c54f742e1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-481c3313-50c7-4159-9b24-e3d0078d0cc1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a241eec892637dec971bd925a40d3efb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c0effb84-c3e6-47f6-a3da-08f5491c42de"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a565682d8a13a5719977223e0d9c7aa4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a0f19f5-055f-4d1a-94a0-61659717d4c4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a96a6c91e71e243f00a64f53e2fd6415</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-57ae3129-905d-4e92-b377-b96bd539ae84"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a99e06e2f90db4e506ef1347a8774dd5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a3b7d04-9696-444c-b1ac-c2661327b87f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ab208f0b517ba9850f1551c9555b5313</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8ab89f41-c82d-49d3-a4bd-97c01be38ff4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ad3cccbe9ddff04b670d353b938f5da9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b269a41a-09b6-4e11-b395-3a84a69ab486"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>af2745e8888f2ba17a9cf2e0779d3874</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-58f6187b-36c7-452f-82c5-dd649f81aab9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b145e4d19f5ecfaad45c795aee69c8dc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb9dd9d0-794e-47aa-9922-d287db0eda13"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b1912db011633d98bc40ac568a4167a7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9c91f63b-3221-42dc-b68f-a8a9637526c0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b1ff1ef983a1aee3a395788ec441d006</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8555081f-f434-44c9-8704-682ffb833118"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b3bc979d8de3be09728c5de1a0297c4b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9e9b3fc8-dca1-4b8d-97b8-2f934db54bfc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b5e9ce72771217680efaeecfafe3da3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-86127e61-8b13-43b4-be1a-55cdcb39ec21"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b8f61242e28f2edf6cb1be8781438491</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5b4e926d-04c3-42f5-aecf-b999c6c05848"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ba0c4d3dbf07d407211b5828405a9b91</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-48c6cd00-0079-4c5b-a110-1365bf086141"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bc756bb6bf4e7b2058e8dce6ba8b1a79</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ecd8afec-bd5a-4450-9629-5461f89ddd4d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c044715c2626ab515f6c85a21c47c7dd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2e081c5e-ade1-418e-b529-abca2aabe25a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c30c7fa2eb06fc8c9ebbe955abe26edd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e4cc9324-dfe2-47a6-b7bc-20ca16fa2ee6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c3de028cbc5aa0934008d95689d5f334</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-30c32ef6-bc23-46d8-82a2-726a4ea928d1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c763e041c8e85c195ade90e120338be7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f9d1ec1d-866a-4784-8c86-99fffe93185a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c799e1d25839e1efb2b3d42d6d6efd26</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d55f6ff6-48ad-4328-b663-dc2c6da7641f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cc17fe9f2d254ad28d050bf5c1df983d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-79268e88-068f-4cdd-9ff6-c082e547ec53"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ccfb7a84bb87cc8f86ddd260ad38ed5b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9afbad71-cb40-4d0c-b6ae-46cadb3db781"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cd2102c5db1ed828a9c196448c40af3e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2588b066-a161-44d4-902b-62ef027e37bd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cd677f9ede43b4b86b421db249c0e020</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cf4f20e4-6bb5-4a81-ad07-7de57b0d4180"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d47b04327157fb188c0e81886e346c48</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0a1e6213-3002-4ec0-a4e6-d6b429d3b69b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d52f35c4c9dbda4c94164291df8a2724</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b9b8c92-5f09-4e1b-afe7-df0294ba9686"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e0fc0fae758d7c6091cdb11d5ef98e0e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dc7e7a14-05fc-41f5-9675-b6c6eb1552d2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e54ce5f0112c9fdfe86db17e85a5e2c5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f4c09e1d-7087-47c6-90a1-eceae9d82ad2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e56e4b20ef6dc09d29be49481bd29561</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b213c45c-ffd2-4475-a260-5e4438bb7d07"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e65c0b3f4dd2f3c9f728077ed1e48f7e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e17f6723-f44f-42ce-9463-12675262ab9e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e83f60fb0e0396ea309faf0aed64e53f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c96f2ec0-0741-4309-b7a0-d3c402b9b28f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ecf900c9d743631b59442240ac4ce9da</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-04fbd074-b06b-4f5b-9437-d6f0b0f3b230"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f4ed3b7a8a58453052db4b5be3707342</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7ed3aec7-4da9-4abd-af8f-614d0053aa9c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f8892c6dacbf7ac756abb361e48bbc82</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0713088c-194b-4cc1-a491-ed154bf82d92"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f904ea9bc8e2d7ce13a6007183da5957</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fac0b607-932f-404a-96e0-69b19a1f6399"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fab6b0b33d59f393e142000f128a9652</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4d9d2497-c5ae-45d0-bb53-f6bd171de802"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fae6eaf695af058af4b8dfee0709bf51</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6a0fec6b-6e86-4d0e-a7b4-74d5fa99fdd6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fc9d20d555a88fc827f3a2bfec4dfa36</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eb90e9a9-70ab-44b3-b34f-5140172354c4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ff085d421518772ce2df75282363279f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6bdbb07f-5f6e-4806-b78c-b3d73f92b911"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ff2d1edbcaf04e8a02dc61fc225e2b91</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f182b0d0-f9d4-421c-bde7-e0427f0beea3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>13312</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-33fb6f35-7e9e-4453-9f16-dc4371893d1d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>14336</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-446de80d-55b4-43f7-a123-e1db1058bc9c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>14848</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dc38792a-69ad-44bf-89c0-f45452609235"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>15872</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad1165f3-4a6e-4d70-bdd3-d09b263abd22"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>16384</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-088967e0-f8cc-47a8-b8a1-d597581ba44a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>16896</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2f58f03c-388f-431e-8205-d1f06d859caa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>17408</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b04ad4fe-6bbc-4f51-924b-cc770f52f2cc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>18432</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b3dd9dac-18f4-4cf2-9766-0fc8341604ba"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>18433</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6730ced8-9060-44cb-8b72-7036cf5e3ad8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>18944</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-deee105c-12d9-4cca-8bc6-7b681753f050"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>19968</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d4a19b79-a3a6-4e67-907c-4fea87ae4f2f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>20480</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c8825928-db80-47ac-9755-e3c05acbb2fc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>20712</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-313b9bab-caf4-48b2-9dcd-b9b018f2ca5c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>22016</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-262cfae5-c684-40bf-b777-5cd4799dcfc9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>22528</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dfecc66f-e6d8-49ce-b21a-b0fa6f917008"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>78848</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-94f66886-459b-430d-90de-7f0a8a81c257"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>81920</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aca8aa51-a223-40ab-8329-f1845a846ca0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-02-05T07:14:01Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-886415c2-623d-40bb-b324-b880fb4d1dab"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-02-05T07:16:28Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f783f0ee-82e9-4752-b392-efbd3120ad98"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-02-05T07:20:22Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-db07a6d3-0cbb-4dca-a49a-83b598215c01"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-02-05T07:25:02Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-94926b82-e2d1-4af9-a4d0-dd56283a2d53"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-08-18T07:22:03Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a828169a-b40a-42bc-8be0-7a73461ea47f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-05-20T07:01:21Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a340c536-131a-4b82-9c17-ab9256120b7a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-10-21T06:51:09Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-52ff7f5b-b18d-46c7-beec-e4ff4ca1b40b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-17T13:37:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-01ff1530-4688-471a-984d-58e9fcefb82a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-31T13:45:26Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cf0dcd37-f55d-4b8e-9310-944ab627f3de"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-04-02T09:07:51Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-52578931-211e-4c14-89de-3351ba97eae3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-09T01:37:23Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-08b40441-1179-4a43-a19c-84225cbd4e9b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-09T02:14:33Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-587379ba-23fa-4399-a47d-1e8a9abac22d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-09T02:20:47Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-036e3e8a-21ed-43d1-bead-639723eb5250"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-19T02:34:16Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-03d9dd67-e0e0-4282-8e0a-7e97c2b787f3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-14T08:42:16Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5fc14e27-5c2d-400d-a041-d3f9a351efb3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-14T11:58:04Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e2eba2bf-9d47-4c20-aaa9-f2cc2d2b7dde"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-31T14:30:39Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b68a4775-fbbd-4460-aaac-99574efa6259"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-09T03:26:25Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3d59d13-245e-4138-841b-e6717cca81f0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-09T07:31:11Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-672bc832-720b-4555-8e57-9b7d04dfaa69"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-17T07:22:44Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e2a510e4-730b-4a3a-9309-e5bb485ceda4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-17T07:43:50Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e4e361a-2b41-4352-9e59-6dd9b9451bb0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-22T08:10:30Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3867dff7-15d9-448f-b4cd-7305b8bbc37f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-28T01:50:55Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5aa85a39-c0af-465a-843a-257fd5b6c585"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-28T15:39:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f282192c-e23c-4c24-a18a-92553cad4e17"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-21T07:25:02Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5fcf6eda-d58c-4ed0-a97e-80a5c9393a78"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-21T09:32:12Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5bd61fb0-a61d-465d-bbec-22e606c97254"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-21T10:48:56Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-19d1c945-f06d-4858-8c90-c19a5cf6059d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-26T02:57:58Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-be478e8d-6e76-427b-b19e-4cbc7f9b9459"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-26T03:30:05Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-63359ec3-c1c1-4217-a698-1500bbac1937"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-26T03:47:43Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e486cb73-c290-4099-aefd-52650bd425b6"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-09-03T03:38:15Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-528d6d2b-6bfe-4cbe-a1d7-7fa4d2304fc8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-11-16T07:35:22Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c088198-0b7a-4eab-bd26-3591ab2d9ff0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>1.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5f85346b-8124-4f38-8af7-f7ecb05db34e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>1.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f2e7493a-a858-4d38-bb8f-cb51725d7197"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>2.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ae032710-5891-4588-b255-ec1bcf04d227"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>4.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-90181041-7e54-4d69-8305-3b1db1feaf13"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>a1.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5147aced-2af6-4b61-9db9-9842cb4692a7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>appmgmt.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-00676dcf-c5cb-4918-9b9d-6ee12587bf6f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cat_3.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6e0f4f57-9b9f-4adf-b34e-2cf20db7955a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cat_5.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c847c5ba-6bd5-4692-8651-077f72771891"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cat_6.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ca84737a-e426-43d7-a145-7a8778a57353"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cat_7.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-817ecb8f-d922-41d1-8da1-c01d4a4f272c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cat.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-78215b3b-52b0-4720-886d-a416312c4236"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cat3.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-10b1ba03-b276-4295-8c03-b17be46d3485"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cat4.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e58150ca-8af3-4b2b-9659-7351a42cb26c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cisvc.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-19a33044-b55b-4b13-ba16-82faddbfad8b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cnn.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f112a97-c7cd-447f-bf38-2f3b3a5a14e6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>gaemm.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-86677460-02a8-4ab5-b707-11bf120664af"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>green.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-104e8295-9b63-4595-90ea-d0cd9a18d93c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>hkcmd.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a115f280-dc6c-4aab-8fc4-f640ebf7a599"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>iexplore.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-62ffa38b-9aab-4b6c-890e-5ac830ebd648"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ks.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-111eb85c-83ea-4427-a8c9-ea9ad705bfa9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ks.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ddfc26c5-69c1-4ad4-9290-28da46bd2a7b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>mm.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-45f9c1d9-1a20-4289-b3e4-72035cc5f54d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>OSE.EXE</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-526c052f-dd62-4a18-a752-0ec9465a452c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>rasauto32.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-81542abd-8975-47bd-ab2a-657b2fb140fa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>rasautoe.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4b915b30-cf6d-46bc-b5b2-5351595ad4af"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>rasuto.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c0da7416-a51a-44f3-a64c-abcbdf00b8b4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>reader_sl.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-38828ede-349a-40d9-961f-bed923058774"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>reg.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dedc26f8-efce-45e0-80c5-b1ed8a00cd89"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>setup.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-11534ab5-3378-4741-b68b-478e0a28fc15"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>smagent.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-22b5f861-72fb-4fa5-a0b1-1693fc0f191d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>sound.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f39f176a-4b56-4be2-a179-8c89961c9683"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>soundmax.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5e398c96-f8d9-4d5f-9753-f416d5e8ae49"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>spoolsv.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-20e50cd6-96c3-41d8-9adc-2292fa4bdc7b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>SUBMARINE.EXE</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-80667694-eb92-41a9-9165-6ed899daf12f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-758e4343-da6a-4027-aeb3-e6c8dd5c4cff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>updater.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-398ce8b3-2b65-443c-9063-6552f05cfb2f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>us.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-121b193a-987d-44ee-81f1-05c6cf4ea96f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wmdmpmsn.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5a0f7b94-948e-4299-be06-823550dd1b33"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wmiprvse.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bc8911a3-2177-4c1a-850a-478b34ac2fe4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wmpnetwk.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-935eb617-dec2-4ba9-9aa5-cf2a42c30722"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wuauclt.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8b9e7dbf-c817-4807-bff6-bdf646120e0c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>dating.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3678b88-9342-45c7-b7fa-b44979617005"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>shop.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-55dec592-caaf-426b-9fcf-219e50b3a013"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>engineose.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f40fc85a-9081-409c-bb85-2c60cd1b27e3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4166b560-dd02-4d08-9074-b28749ced2f5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a01cc6b-b5ab-4790-a5d4-87b2fdf5428c"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Type>Mutant</WinHandleObj:Type> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2d8255d2-641a-4761-a6a5-771bd74344eb"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name>ADR32</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-25da2178-8ba7-43f0-bfbf-ec6184930dd9"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name>ADR64</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-19cb7aea-26cb-41b7-afd7-356606ca4434"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name>AdobeReaderX</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e9e4fa0f-9186-4f02-b8d3-412690f80aba"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-12c7431c-d0f0-4b3c-ae1d-db0622b1c4ec"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name condition="Contains">install</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-96cb3701-ae2b-4fba-b108-28f79b1760a2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name condition="Contains">uninstall</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3a86f589-7791-4ece-9a53-fe3872c814f4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name condition="Contains">servicemain</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e8b9edd9-a3eb-462f-b8ec-22c0d7625359"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8a8fadb8-96e5-46da-b874-ba9522968577"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>50361f8793258b6e883b31269e053ed2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-96064940-6bcb-43b7-b2a8-dd7671c61f27"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3b320b90e024bfa48bda72aa7a82322c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-09513ce3-4ec5-4070-87b4-6ceecf28d66b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>10bb5a8ae053e335fe047cf38db95452</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b682a1b6-3efb-40dd-8262-26c99582e34d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a1b924b8c8fa157ae8775fd86f692053</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f170ec88-3afa-4602-b72b-3b05732b8a59"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2c78d8bb5912d8174042f81197d9b449</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-67bb1f06-e71f-4d6a-8c4d-45d590e25859"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f1ad5daacace5d4a7b18a03132ec2716</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e786a178-8f96-4821-8a2f-9aea0b04bd69"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>257258344edad17f689b1c6d14833cbc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9bc2e53d-1fef-44b0-ad66-93329a14b18e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>98cf219830733fb98fd2a957b7c4b163</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b047a969-9ee5-4c47-b905-3d57dea106a8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>75f37a69664362462ad491741a34f195</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-86cbbc7b-8373-4483-8cb4-f74d0d316b08"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dcb90efe7e09d6900242af25aeca7b73</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fe1b00c1-9945-4e94-9b8a-da1c14dfd592"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>62d60a1cd1e7ba73aebc98812e5ac266</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4fde81d5-41b6-4e33-a221-d1dd64868f44"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7ce16b35201d8d35965ec7aeebdc80ff</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-21217a83-702c-4696-9328-e9220355868c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b63452ecd2da62f30923a124bcd41b45</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a2fa50e8-4165-4f32-9f0e-3fe5f47663c8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b2599b3078c28a278a3e7cd8b46304da</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-93f74395-d7e8-4a5f-9459-75b93dfb5652"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e24e889e826df04f552e0d133548b693</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4bf1eba4-af8e-4d7d-a794-6337cef6d77b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>465b085d3ddd22f63d8f7721ce5736d7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-88fe1d0b-51cc-406e-816d-3d1877d161ab"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>04e83832146034f9797d2e8145413daa</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2f4f9327-0216-44c8-9e53-1d23698caf72"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c2e06531a2e6de3c1b7d18b14af53fdf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e923e4e-4ac5-4c6e-8ba0-7ae8bcb2851e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c0a494e643c42a89d5bf718ea274df04</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ddfdbf22-1590-4527-b017-224b8a2f24b6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>da6b0ee7ec735029d1ff4fa863a71de8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-32fcff4b-7c5f-4e34-9783-edb887fe73a5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>33d974011c4b047bf9874a71ba261a11</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fa85a793-627a-48ce-91bc-e425c497a932"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>47e7f92419eb4b98ff4124c3ca11b738</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c125aae2-69c3-4eb7-9293-c24c51d15b1c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>12a410d82a1fc9a8c18b350872e0d465</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-75074d1b-d72f-4fb0-bd5f-6eac577a6c63"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ae2dadd85cd97452bb26b2c901d0890</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c6941c3a-15e4-47f3-b81b-74992538f067"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\Com\wscntfy.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bc4e6a25-4073-40b9-abb2-ff9697fb2d13"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>msiprov.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-832e2c3f-0f51-46ff-940b-21ce999aef50"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>mspmsnsv32.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a58f5ff2-8dbe-4926-a86f-08b0bf6e24bc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3fc7d896-24f6-4a68-88a4-6b6bbb30284b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>rasauto32.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e4ec6bc3-ca87-46ed-aa7d-7236e3df15d6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ersvc.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f7a652e-3392-4c4a-8ee2-301968a34507"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8284e473-1c40-4317-88e4-2274a05f8699"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8399140e-d68f-4e6a-bcc1-b1a2866c4bc3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>10240</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-19c390ad-2f2f-40c0-8da5-1bf39de9e31a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>10752</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b48100bd-5e0c-4d2e-bcfa-448b44abe524"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>11264</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a75807dd-ffca-40c5-86b4-9dcde61a7c6b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>45056</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-af2c684f-d214-4b14-bbba-41682eca0e54"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>8704</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c096ca67-e918-4e0f-b208-782e3a511516"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>9728</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-35fdebd5-e7f5-44dd-a0d6-f4e217da8814"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-06-16T02:14:07Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-34bf75f7-6bbd-4646-9858-d1e3f5ee4188"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-06-18T07:24:32Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-16d176ee-fd34-4de9-8bd6-71471e36fc03"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-09-01T16:22:56Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-590352a7-f3a5-461e-8e21-505d650b2f22"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-09-16T08:40:03Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c2d77748-b66a-4d1f-965d-856eb1f22973"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-09-27T03:15:10Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8b83474-9470-466c-961a-06bd8b2bd434"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-03-24T07:04:57Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ac064633-5ad5-430e-9860-6c0603308d93"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-08-21T02:44:28Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e7e4d3e5-b086-4b23-92c0-3e6aa1032123"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-04-12T07:28:12Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ed3723b5-d790-4b78-a409-b5949bc0cf53"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-04-12T09:09:29Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d8b9f7dc-1a88-413e-9968-5091c69c1178"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-138d69cb-271e-4ba6-b059-352fbdf7efaa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>ServiceMain</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a5a8e2b5-3d88-4363-aa86-7bf57d0c7488"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>InstallA</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-022b41f1-9afe-45d6-af8b-1b157177025d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>UninstallService</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ecc8fb90-5a68-4963-9b33-03ede415351b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>InstallService</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5b4f193e-557f-4224-bb18-cda6555dc52f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>RemoveA</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-20070b1b-c544-40e4-88b0-fc7533f9bda7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f356464-9e28-470f-8b4d-67553bdee05c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>ServiceMain</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-db01b082-bfca-4493-9a89-c5ea64768065"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-56267a8f-9633-4937-8de4-9085d355b3f2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5c98410-ee98-458e-a5b6-be970abb3a43"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>DllUnregisterServer</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-428d8ae8-11ac-41c8-8cf8-e3626f976635"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>DllGetClassObject</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a7ea89f3-847c-444d-b329-f1f93bf43d24"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>DllCanUnloadNow</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-14bf2c6c-2c39-44c8-92ed-caf34aa76456"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>DllRegisterServer</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-139fc1a6-e5f8-478f-ac4c-4e5ef4d5d7a7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3e297215-861a-4a94-be92-bf2ae19f5065"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8fdb15f3d5480de78c61ccef23722683</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df4b6821-3b96-4864-b5a8-b1379ee80bb8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>57353ecbaece29ecaf8025231eb930e3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3d73fee4-f73b-444d-835d-725a8a0b5da3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cf038194f0fe222f31ec24cb80941bb1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-322864bd-4a3c-4984-bb39-51da6c8289fb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f90da15f862bb8452fc51d3f0dbb3373</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5782120d-8b59-4fe7-b2a3-2a0e7b784b90"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6deae79fc82df523ba99852266a33f9e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-43aea2f9-7628-4e20-a806-0bab8a42187b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6ebd05a02459d3b22a9d4a79b8626bf1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a6ae527a-4736-42f6-ad14-fa5a699c92a3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d2f1be7e10ed39aa8bc0f7f671d824d2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a06d67f2-5d6b-4119-b372-abeb3dc7d86b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5d5c39ba59c32ebcd6c02f238521a060</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-902d348a-920e-4ff6-8273-e23f511b3b29"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>gw.dat</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-87eb54a8-f79e-453d-be63-59be0cd1e89b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>sqlpass.dic</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6112d863-22f8-410e-bf85-b7db8db31d16"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3ffa3bbe-9aba-43e5-a666-2bbc257ff4d7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>a.dat</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5ead8152-11d7-4bdc-bede-e89a31a6cad7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>1.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-633c3d70-d0d1-4a51-ac4d-a10347330777"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ctfmon.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8ae14feb-b1a3-4efd-bc56-4dde8bc4acab"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Del16A4.tmp</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1834b578-a4be-4368-8b16-1ebd1fbad785"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>client.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ebd1abe7-a473-48ba-8f43-9c132883cc15"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e8123462-e31b-48f3-bc72-43f2061c5850"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>32768</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0955e2d7-eefb-4653-81c1-fb44041ece9b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>475136</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-198a474b-cd29-445e-b670-900bab9d89fe"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>57344</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3423d033-ef73-47cc-ac49-456452172b5f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>61440</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-84c7d82b-c944-44f5-ae10-33521558866e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>81920</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cc9ba9e2-bb3f-4645-b767-6a86f33433f2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-08-25T02:25:14Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cca8138c-efa2-4e49-9296-a27fffa4f379"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-02-21T13:18:49Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f6e29a86-ebd9-484c-9445-b6879146facf"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-02-21T13:25:59Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e3246bf-6226-44c1-9739-bd53c5ed47c3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-12-19T12:17:08Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-87007f79-881f-4fee-a54a-6f9bf854422c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-12-20T02:23:38Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-128fa1b4-9034-4ccf-909f-e17f73532284"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-01-19T00:50:11Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7834fd6a-84a4-4885-ba74-0b2d7df12659"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-07T08:41:30Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7da7bff8-68f7-4234-92da-c3c509e883af"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-04-21T06:49:52Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-293506cc-415b-468e-b9e2-3852d474652b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Resources> <WinExecutableFileObj:Resource> <WinExecutableFileObj:Name condition="Contains">IDR_DATA0</WinExecutableFileObj:Name> </WinExecutableFileObj:Resource> </WinExecutableFileObj:Resources> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fdec4448-5911-4572-a95a-cf61e3c0f9c2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fab392cc-1376-46ec-8e2c-4fa4e704869d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>82b065518f085c6ceb0a9135ab51df41</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4ba6db3f-ca2d-46ce-8a75-eaba4b20a2bf"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-73990b98-2df1-40ac-ab89-8d805e2a67bf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>12800</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f469a10-6cd2-486f-8b81-0b0156c1888b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-98aa4299-4820-4d53-bb52-236ea8855aac"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-05-11T01:52:46Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-30a990db-845c-4cbf-80b9-8b7b2386d7c1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-65ef6c0b-c2ef-4a30-8c7a-5530150de278"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-08bb5155-f98e-4175-ba30-6c408c107d1a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f7a71182-00a1-4f8a-847f-041d74a8cf7e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b6630e04-d583-4c87-8933-368b8c768cdd"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f62eda54-fc09-4bf7-8943-63e9cf0dd87f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9f171c0-75d7-4378-beb7-4a6fa6716b18"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>567395a3c720fcd09eb75b6c188b8687</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5b56e6a4-3d35-447c-967a-585833c67377"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8153b612499dbf432e2d9805b20ae783</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-044450c1-d0c9-4034-b50a-695ea872f81f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d8238e950608e5aba3d3e9e83e9ee2cc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9728541d-9905-4a02-8d45-89dc97f5cbcb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>53b263dd41838aa178a5ced338a207f3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a058aa9-bcff-49d0-b898-63038cf5655e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5ff3269faca4a67d1a4c537154aaad4b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6db9a6b4-1875-4a3b-a3a4-63a5701e8e8b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ea61a0945bde3c6f41e12bc01928d37</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e37a42ad-39b9-4ed7-a8ff-b4f8684943ed"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9675827a495f4ba6a4efd4dd70932b7c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5a737131-9ed6-4547-91ca-30d5dc566db8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>32768</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5a329f6-8fc2-489d-87b8-3449788bc351"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>73728</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2415ff42-a418-40b1-8349-ad97ac0b1236"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-07T03:19:17Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-48e392bc-c065-48b0-882e-75fad379fefb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-28T08:12:40Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2e22d803-b6c3-4ec7-9e13-5469062c0e38"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="Contains">AcroRd32.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9fffb9ef-eda3-461f-bf24-b7c8f8013b5c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="Contains">hkcmd.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-11c8d961-aaf6-4c39-b5f3-3b9d3045ce3e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="Contains">svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a7d498b-db58-4be5-acb0-921c245b4728"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="Contains">google.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dd7d606f-ffe7-45b6-b8e3-36c8690b0038"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="Contains">wins.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b3381a0d-e6ef-4409-b2b0-4baa10e434be"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-503abed0-b00b-4f4e-94fe-9ebc6abaffdd"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Microsoft\Windows\CurrentVersion\Run\load</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>Software</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-58567037-88d8-4110-8af9-23e7b6f3e7ef"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">acrord32.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c8897027-e093-481e-82db-87357e11d559"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">hkcmd.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-33aa7a58-6dc9-4a8a-855d-edf010502466"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">wins.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3af073a8-52c5-48a7-b9c9-ca4e8916e5e6"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">svchost.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bfacd096-32e2-44de-9e7d-5ff612fcdb22"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b1838a6c341260fbdaf288795cc63900</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-23be8553-e380-423b-8b55-4e693b9600c8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ff9aa093a37819af65a06046ea0c830c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0b2a758e-7bc2-4b5d-bfe0-f931eb85ef8d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dc78fd49b7f39fa3bb06b927e8413dd0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2edba2c3-8ef4-477b-8768-8ff5090f84e4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>57cfef3e32e60df11b8d2c5375f3185c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a279e61c-f3ff-4778-b395-1659b60c3c16"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>nwsapagent.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e4ecdcd4-e23f-4ddd-9b7e-0323a11f6e99"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cclient.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-919d592f-238f-44f8-ad0f-a5d81e8aa2e7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>iprip32.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-539af7eb-87df-4d74-8d25-d56f90413850"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a79936cb-12fb-4262-92b0-cea2db4901d7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>151552</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-38e8480a-845d-452d-aef9-3b4eb29ca675"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>155648</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8ed59326-294f-4c1a-aee1-6ef2fa1ee6ca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>159744</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b220f7cc-74e0-413e-a4f7-550f6937ec5e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-24T02:42:22Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a477bfb8-74ce-4ffe-940d-6b5d17430959"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-29T07:35:54Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9f6c79fb-8a62-4024-8b6d-49563dbfe2a2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-29T08:30:40Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4bde46ca-96a1-46ef-9ad1-ba3ee503d463"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-01T08:53:23Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0eb42182-ba04-4cf0-b139-9847a52d6698"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f41124ad-3629-449f-b6da-bcb4bb52433d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>UninstallService</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d7b99f36-17cb-4c1b-a0a2-d17507b4104c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>InstallService</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eb37ece6-6f30-4dac-a297-910bdc1a334d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>RundllInstallA</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0620bee8-aaf8-4747-ac24-5f300d266ac5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>RundllUninstallA</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-53b3e98b-08ed-4b90-8595-dc16dbb2e0c7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>ServiceMain</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad644aea-2dc8-4768-aa11-731b8ffa54ff"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7ebca5f2-2b13-4422-9bb1-b63d1eb04a22"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6eebee2aebd5194db62cb8230502378c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ab8860f7-0ef1-4933-bd94-9501717aa348"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>620c6a6cff832e35090487680123f52b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5f3d57ff-610b-48c2-8417-1dd10dad9939"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>81b03cbcfc4b9d090cd8f5e5da816895</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e7039ae1-5b5b-4908-8e82-bd78769cfc9a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e476e4a24f8b4ff4c8a0b260aa35fc9f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3742769-61fb-4de7-b257-fcc60a01507e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>77fbfed235d6062212a3e43211a5706e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-60fc1671-3ae4-4aeb-b222-0899d1b5888f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>52509abd1cc7b7fb391b19929e0d99c0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df92717a-a7ea-4afc-b7b9-a523b19b4324"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>28160</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d41a75fd-8083-4b7a-9f1a-a514146a079a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>497783</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a1fc93dd-571c-403e-9eda-94a190489687"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>56320</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aa42802b-6766-4cda-84d5-595e384b39ec"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-14T08:20:10Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2d663d81-6681-4deb-b7ef-4e6c710b3dcf"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-23T07:42:47Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d7762c98-0dd0-4c9a-a449-9043e6510c70"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-04T12:57:35Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e21f4677-be4d-456b-a847-08e0e6c39b0f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-09T13:19:49Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bcd34f8a-8828-479d-bbfd-f371ae439606"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>acrord32ram.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a63d9d35-d375-4c88-8d5b-0becafd94da0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>winword.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-72dda272-72e5-4009-b0cd-559b1dab182f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>acrord32.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-22bda1e4-5ed4-4212-86a9-a62172dec217"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ituneshelper.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d76a0387-eb69-472b-98ea-ee4b3ecb13d3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>power_gen_2012.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1c31343b-beaf-41ab-b954-7602eb7e5c5c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d6c354bb-9b63-48d3-8d7f-a82811cc9ffb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d40244c9-69f3-4e20-a945-4d30ce050392"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b0a048ce-a039-4498-855c-f26b4f2cecfb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0285bd1fbdd70fd5165260a490564ac8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-097e4f85-860b-49d1-b37a-701bbeb59345"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9c03ab63a45d29aee90b72ae89f2f613</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-21967ba1-c2d1-4d0c-9669-064a02d2d0da"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>newdll.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ea548f23-0490-492a-b7fc-2c7b69f8edb8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-09-06T13:13:09Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4e3d7037-392f-466a-82ff-8dad6a4aeecc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>84480</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-64f6473e-ce8c-4a26-ac08-1babd0cda245"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>install_ela.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28447a30-760f-4804-8d4d-1d8ecb843328"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-09-06T13:13:17Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ff742dd5-23da-44d3-b2dc-a2df5dcc688f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>224768</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c8670f17-d6cb-4b86-8fa7-0c9db006b143"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f0726aadcf5d66daf528f79ba8507113</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-100ef811-c6bd-436c-8909-d051eca97bc6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5e0df5b28a349d46ac8cc7d9e5e61a96</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3ad926e8-236a-42c1-b6c5-f4649b94a563"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Service_Name condition="Contains">SaSaut</WinServiceObj:Service_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5d129eb0-7dc9-4d5f-b323-56ec74f8a859"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Description_List> <WinServiceObj:Description condition="Contains">Authorization and authentication service for starting and accessing machines.</WinServiceObj:Description> </WinServiceObj:Description_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-60bf3398-cd2d-43ae-bd8a-423a87125e67"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">SvcHost\SaSaut</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>CurrentVersion</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1251ad3a-36cc-46df-b867-5b999c950d37"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7c63fc4c-c42d-4400-92ca-7e5d9f439d7f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-70888c05-d5fb-4161-9f11-c061aaca8e25"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>setup.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-663ea2a0-6c4d-4fdb-b1c4-84e444fb5090"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>spool.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a513012-d94c-4147-8817-ed0a60abdbad"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-03-30T09:00:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8f21de18-1b81-4553-9fa3-2af23053842c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>37376</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a6eb457c-fe70-43fc-8f4e-606c7d417f1b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>50176</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b6ed3588-18fc-4c76-b53b-c01aabdd5f92"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a5c4267-9edd-47ee-8945-20e24278834e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name condition="Contains">MyService</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0bb5a610-2702-4862-a664-f6db36f3947b"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">java.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e7493c7-a12b-4978-b657-fd1b90314d12"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Run\sysinfo</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>CurrentVersion</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c5b382e-cdfd-469e-a024-4e52db2e423b"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Service_DLL condition="Contains">\setup.dll</WinServiceObj:Service_DLL> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-edca262c-6b9e-4d7a-80ad-c8abff8668b2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a40e20ff8b991308f508239625f275d8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4da666d4-0544-433a-9942-5e3037941347"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6e442c5ef460bee4c9457c6bf7a132d6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-40c51ba7-3b1d-4f63-b2b2-eba5b0a3075f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a9993969be3ea340d420eea5868c0d1d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e2dfd549-70d0-4334-b2cf-37bb7ba61d4e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cb3a9d7505be48019e242fbccc7e5f6b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1eb256c6-771b-482a-b2e4-1adcc4be3e49"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5e33a9835bced338cb1959c347ac6798</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-523fdee8-4585-44d7-a09a-f3759fa9d3bb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d262cb8267beb0e218f6d11d6af9052e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c906b618-c178-4359-9c21-d6ab01c5f216"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>097b5abb53a3d84fa9eabda02fef9e91</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-476fdea7-906d-4da0-8fa9-237e02ae8ddb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>internat.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0a30ed8a-70af-48a8-8a0a-ed25d5a4230c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ntshrui.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-89cdc57a-f38f-464f-a759-53cf31f216f3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>internat1.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-549bb9fe-d79e-4cba-9eaa-6ccd0be147a1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>iprinp32.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-816c7fc0-fbc9-4994-898e-49cb1cdc7c5d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-05c6d75d-cc7e-4d43-afed-2f5851f3a202"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9da6a4f2-5c4f-4ad8-9827-5d544381f9a0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dbf1e175-bcd9-4132-8b2f-be7398504c21"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>12507</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-068c2755-2a59-4e26-b2f2-62ba735d8651"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>24064</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-32180006-a3cd-41f3-b13f-7395af4d46e2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>28962</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5766bb13-64b5-4aec-a10d-4c92a044888a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>48640</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-577c1afb-6741-47a6-ae85-82867f176a80"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>6656</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9d91eda7-c3d9-464b-af83-f71e4b14a842"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>8704</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f87c102-e2d7-41ba-864b-6d8a2e1f2aac"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-10-27T08:31:43Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fb0db4fb-6694-4626-9d3a-7a25960bf4e9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-03-16T01:56:49Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2c84422e-c3cb-4273-8ce8-ccde31ac8f6d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-03-17T01:31:25Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3abd846c-45c9-45f5-aadb-b2a4acc70289"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-03-17T03:34:24Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-862e3e8b-4964-48fb-9f70-ff4be36151ed"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-30T09:20:04Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5a25419-7c45-46ab-a4cf-27f2308eee21"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-10-28T07:20:29Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9ab076b-3b64-4dae-89d9-45072a19b699"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-04-23T07:51:28Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-81481e39-64c8-4cac-80fc-524f71b30134"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d9c4ebd61c1aee52b3597aae048a592f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c9e8984-59cd-42b5-8b04-5df58cee48e0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c0134285a276ab933e2a2b9b33b103cd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb42a513-9b0d-4980-940a-9e75d761f361"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>36cd49ad631e99125a3bb2786e405cea</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e6c0075b-6ddb-4a36-b0d4-3a3ac298dccf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">Temp\~ISUN32.EXE</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb477ea0-f188-4c7a-b10e-536879f819be"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">Windows\ntshrui.dll</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-18b42ff6-3ff5-4c01-9700-13d9dbfb1bfe"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-69abccad-1c5d-4427-ae3f-bb89a1f287af"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f4b5ccc-dba5-4b38-95c1-c7a80c9cbd55"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ntshrui.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3840e8b2-2d18-4689-94fb-990ff594169d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>netui0.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-94a2f411-294c-41e0-abe1-3ccc21f5844f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>46592</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-511c616e-81ed-405f-9dd8-c104b85418f7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>80896</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6752f4d4-f141-4af0-a8e3-723b4701e315"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-09-28T12:42:19Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d827d88a-389b-47c9-a159-25bb46437633"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-06T08:08:37Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5d981cc-6185-4d03-abdb-19862ab8d527"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-12-16T03:14:07Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-99b0c203-fbaf-4183-ae63-48d0c03a7a81"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a38a367d6696ba90b2e778a5a4bf98fd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b72e9e6f-f135-44cd-8e38-60ffd2000af7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4a2320b41a5216c741bf63fce562961a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e51dac46-9e38-40cd-bd9e-cf9389335a9b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5537bdce991797198a9ff97ff1492f90</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-92f27bf2-cb73-4afb-b6bc-aeb93af236f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0115338e11f85d7a2226933712acaae8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fc847913-f158-46a4-add6-d0aed12df4e9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>277964807a66aeeb6bd81dbfcaa3e4e6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-82513330-ebdd-470d-b685-8ce6bb1d0e40"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f802b6e448c054c9c16b97ff85646825</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4933aae2-b99b-41b4-b654-0238c60a6570"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7d3140bd028f70f1fa865364b69c5999</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-571eceed-e749-47c9-816d-34514ae8f5ce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>18316e6ebb356a66c8ff51e73c1bcc8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-731a7370-2ef4-47ec-b6cb-0411aebc569a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>91dc97c4b66e3282e1aa831e0bb0bb14</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-11d72f66-8aad-4b9c-b89e-51294de134fa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>53600687ec97c297f03b4f0f4710d0c5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-890885aa-18c6-4b74-b0c7-a0bd1a3fbe53"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4192479b055b2b21cb7e6c803b765d34</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6eb51a17-ac61-43b4-b143-702960315b01"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>51ce169debea41314f591290839fd55f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f0acb752-f234-49da-856b-c4487188f8d5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>50f35b7c86aede891a72fcb85f06b0b7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cb922a65-89da-40a4-af9a-db39ba0d5583"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>575836ebb1b8849f04e994e9160370e4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1cf863d3-59e1-437c-b7ad-dd88da1aff34"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>73d125f84503bd87f8142cf2ba8ab05e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b7bc323b-eeb8-4da1-ad82-0bbd909840c2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d22863c5e6f098a4b52688b021beef0a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e1cf1ca2-3b82-4499-a464-27d411fba154"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3ea7bf3b469499f0f6d4a78af865138f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-10cdbd63-b615-43ba-906f-3ff38e20f666"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2d57aa4e7f2f4088f1b96313b24c7602</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-289a5c12-ab3d-4d16-a4e2-7f86a170dc70"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d6a01b61f490488d61dfb9376186d844</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-197c995d-798b-4c39-ac93-8a709c27fae0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b1ee00cec6c2318fa86f320dd7fc99a8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-634443c8-e62a-4ab1-9508-5ad706983db4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6ca59c9c4165796e08ba6ca3eeffdee6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f45ef31-8176-4181-842d-b44e0f860613"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>66c287675cd4c7172590f71181e723a8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e925178-0290-4676-b6ea-5c968af2989f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f1e5d9bf7705b4dc5be0b8a90b73a863</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-03019da0-4e35-44a9-8bf6-c0134cce58e5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\WINDOWS\ntshrui.dll</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-46df33f3-bff7-48b2-9545-9dea89b2b94f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e8870f2d-6496-48ea-b50c-14d2f2791c2c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>AcroRd32.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-13c7ff58-1d87-4898-96a0-98ad886763e2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-77dcc436-2e07-47c7-ae81-7fb7cf50a00a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>nwsapagent.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3eff6eba-23e3-4a00-bdac-87d1992d58fb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ff53cd17-3267-44fe-af63-ae0859a26161"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>regsvr.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bc60be82-0891-46be-8dd4-1f2447464e33"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cmd.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-da0cc592-b519-47c3-90fd-a9b9dd694e3c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ntshrui.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-67c82cfd-e7a3-42dc-87ae-6a626509473e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ipripp.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b1a94d3c-71a2-4cd3-bf7c-fbd146f3ec75"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>web.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f810aca4-4035-4630-9b91-f9a2b08b5d49"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>dataaa.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d3234aca-7aa1-477b-a767-873e569d15f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>dc120.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9c596030-7a74-4293-8513-e7bcb9bc2138"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>udaterui.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c4ed36db-92b3-4c62-af77-925e69929e5d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>firefox.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4669a304-91b2-4882-b79a-4e3e54fdf162"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-55dc3ac8-da7c-4158-91c1-1b1b6f02269c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>10240</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c18bf4e6-71c9-4a60-9e8c-c896582d65fd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>24064</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d124c4c2-a338-48b3-b7c7-9eb1987f4f21"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>33280</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a98a90bc-e817-4985-ba97-1a18a4aa1790"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>55808</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aca8b54d-9576-414f-994b-2440455093b4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>66048</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dc662c94-c50f-44ba-99c4-a0b4f4df4d73"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>83456</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-08060761-ace3-47c9-b091-1f41a8d335a2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>9728</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-960e594f-6f05-44c7-85b5-eaa2c696f419"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-12-02T08:05:26Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5182a2da-a3ed-4dae-aebb-aabe3dad350d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-12-03T03:07:18Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6f191ca4-9764-4b9a-ac98-091565e1d76e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-12-22T08:02:25Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5f7bc992-2cb5-4de3-8f83-090e6dba53e7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-07T09:42:59Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-40b37830-e5a6-4c7d-98c7-952c9b25d4ce"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-23T14:34:10Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8fac18cc-a583-4c19-af3c-277390909c1d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-23T14:36:19Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1014039c-105b-4461-a51e-6836ecbc1d1d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-04-14T07:22:24Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f2f4573e-7377-4252-88da-7539aacb674f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-04-21T07:51:21Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-303c96ec-01ef-4f0c-9c62-335ae16c879a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-09-20T03:40:51Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8f5799b-1b35-4125-802b-e052a5a23605"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-09-20T03:50:48Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5e94b2ae-a2bc-4df8-b42d-af92b62a4636"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-27T09:35:26Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7be68113-1abe-4400-96a7-1975c65afa51"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Type condition="Contains">dll</WinExecutableFileObj:Type> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f6cbabdb-f0d4-4a5d-9108-a05ffd2063eb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Resources> <WinExecutableFileObj:Resource> <WinExecutableFileObj:Type>Other</WinExecutableFileObj:Type> </WinExecutableFileObj:Resource> </WinExecutableFileObj:Resources> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-40d193f4-f81c-4284-b5b7-16fcdcaf11ed"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Resources> <WinExecutableFileObj:Resource> <WinExecutableFileObj:Name>111</WinExecutableFileObj:Name> </WinExecutableFileObj:Resource> </WinExecutableFileObj:Resources> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-467aa9b4-db05-4af3-8845-6ec7a77edf55"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8c74d0c8-4c0a-4ca1-b32e-b5fb7e1f9dff"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-573e75c3-d30c-4c7e-9eb6-2413e7dae467"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>uninstallA</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6490093a-f01f-46ec-966f-2a253086df2d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>installA</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8e855941-0540-4666-91c5-cc00f590ef8f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>UninstallService</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ac9d0ce4-ae62-4bff-8e3e-51700dbd06db"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>InstallService</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-151c88cd-5f32-4907-95e7-634e59e33c2b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>ServiceMain</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cc5d6946-59c1-4051-b4bc-9a75a97b8ed3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-05197a99-e93b-4191-88a5-dec580e4a4da"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1e3719bbf854417384a3768e4326584b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1ac9cfc-add0-45f7-a05a-4af054cab8df"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>79378e59e6a87b50b1e4e9b3db0e2a02</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5cfa6e43-e731-4af2-8c92-1152ba528385"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fa14d823a5d1854131db0dc9eef27022</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8a6328bf-7339-46ef-9f03-c4c9986717a9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-79dbd05c-02f6-461e-9354-b4da65c9ac84"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Resources> <WinExecutableFileObj:Resource> <WinExecutableFileObj:Name>IDR_DATA0</WinExecutableFileObj:Name> </WinExecutableFileObj:Resource> </WinExecutableFileObj:Resources> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-120aca89-0a54-48fb-9f61-9b27ea3127d0"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Service_DLL condition="Contains">.det</WinServiceObj:Service_DLL> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-36571da0-b86e-4a08-a614-1a209e1476f6"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-624e54dd-f951-44b0-a32d-0f34ec8f5c11"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wmdmpmsnex.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-09d87a2c-aaee-4208-9493-aa8d1b966aac"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>tapisrvex.dat</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1ee8d615-fa0e-4cd2-a197-b71a1c73811e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-202bfd6a-5e2a-4282-8615-85cbb1c5e5ca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>35338</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cf4e1837-80f8-4340-a039-6112da073620"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>77824</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d25ef297-186c-47aa-b8c0-08e28c0ed654"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>90122</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6d6aeacd-647c-4b2f-8be6-b1f4480c5c39"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-02-24T12:42:37Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b2cc3245-40de-4429-8269-de0139d36ace"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-21T09:06:01Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f543db81-7f74-4dff-a9de-dfa1cc476800"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-04-09T02:03:14Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-82d54287-8843-4d88-89a0-f561287a5568"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name>deYT$6#</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5a890ba-533a-4224-844d-ed32e3daa346"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Type condition="Contains">Event</WinHandleObj:Type> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-21b92127-f165-4bfb-b8e3-63dbf7c1b7e5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9867293c-7dc3-4c9a-8591-7dd9e2674891"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-383adf55-e7d7-4a7a-9699-ae54e6598cb9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>ServiceMain</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-08062389-ed83-4d0b-aacd-561f7c3fb174"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Digital_Signature signature_verified="false"/> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-14000699-c2ad-4c6b-b094-259cd9efcbc4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value condition="DoesNotEqual">ec1e62ef73d844c6c845acdd4c1f9ce7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6838ff51-0d06-4f6c-b1dd-bf99be6424cc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>68e5bff12ac33ecb98977afed51ebad0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-42ec0996-d428-45e5-842d-b4a4c90ec92b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>929802a27737cebc59d19da724fdf30a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-43782ed2-aa44-4562-8bbb-894ac7754ffb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b9b3673a721578b230490f7dfc6df21e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e76c8a58-5483-4882-b462-ef68dbfa7717"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cf9c2d5a8fbdd1c5adc20cfc5e663c21</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f65e1f7-1c23-4f52-ac70-82a9f053a547"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c04c796ef126ad7429be7d55720fe392</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a700c1db-1286-4db8-afe4-35bec86f7e81"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6b6c4c0e2959df248be90d89899953a9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-43e387ab-bc3c-401f-8738-17ee4fa5a15e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5ae0efccce47ea16bcc61e4003c1c57f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5edd238d-f621-40c9-9475-89158f136bfe"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\Temp\~df~</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fb2b2f26-40d9-4062-b8e5-5baed8987804"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\start menu\programs\startup\adobe_sl.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3af8775b-f6a0-4de0-aba7-d263e9f0474e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\Temp\~hf~</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3d25601-5606-4624-8c24-cfec2e18cd80"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>adobe_sl.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d67fecea-ecc6-4c8e-9a7f-583c32567205"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wuauclt.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-22c8d8e5-9351-4dcc-a233-e4e5818b71c9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>spending_cutting_plan .exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-53921f8f-35d1-4e6b-a057-ce73f4f00b8d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>adobere.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cd16bfab-3bb5-400e-a9aa-d1a17338092a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-15b4eea7-c8eb-4322-8eef-75b2078392e6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>300032</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8e3c32af-c36e-4acb-b7a5-12b091950192"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>301056</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c686e148-69ad-4f99-a6c3-0d36fa6b1e96"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>304640</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5004160-228e-4105-a695-1a9627476a0a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>305152</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-191e83a8-0cdd-4052-a395-1cc4b3547443"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>8704</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8ec427c1-fa53-402e-afd9-80ab8703c845"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-16T13:02:48Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a0b2648-bcf0-4ab5-a9fa-9616f684e6c7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-08-20T12:56:12Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-99dcaf40-1bb0-4883-8fab-e5ecdd8607ac"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-08-20T12:59:08Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-07c5761b-2e96-415e-91d8-44fe06ac927a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-08-20T14:06:56Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-85d1a437-5e83-4906-b965-354ed4924dc3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-08-24T14:13:12Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-acf8afc7-e008-4cda-9c7e-b7446d5901ee"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-10-16T09:32:33Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d0771524-73a5-48c8-b8aa-e534cae6ab90"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-16T13:02:51Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eaad70db-8b22-4e33-a569-d8967be53442"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Software\Microsoft\Windows\CurrrentVersion\Run\AutoUpdate</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive/> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e1030839-4d91-4fb5-8d1a-55aa85bb5425"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">wuauclt.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9ba41a9d-b15f-41ff-adf8-f66b6de632ce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c627e595c9ec6dc2199447aeab59ac03</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e5511631-bcd7-48ea-90e9-b57607379c15"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f3c6c797ef80787e6cbeeaa77496a3cb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a72d2656-832d-472f-958f-53af8770f9d7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>227840</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-321f6986-5f70-4f5a-a4f4-c230a3e5f6a3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2006-10-12T02:38:59Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d8cd2cb3-8ac3-422f-a602-53e3e5f03603"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1199dd1-0a29-42aa-9575-f2f2d8152e3e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>m1.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-427148fb-ede2-44b6-87f5-5ccecae64ea8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>mapi.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-08a890c5-8244-43a2-9cfd-8b5dfe8e2375"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>mapiget.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5b7933a2-322b-4683-af99-fc2e3670affc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>62976</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0797d25a-bfbe-4b97-98ff-e010d22c3f50"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2006-10-12T00:34:06Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dbc4b449-35db-457f-b9ee-ffded2fd7839"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3fc7e909-fdbf-4f07-80c8-434d6871b063"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cf37875adf10fb56c7c6edf86f2b3438</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-78e55482-13b7-4d7e-be88-8c791471e3c3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7bea48f1f08e2677df168e0bbe9f19ac</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ae170f81-a81d-487c-8b04-c07883528123"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>16c390a32f9a60bf50396fc86aea0f9d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ac70add4-d1a8-4afd-a0d1-a853cc3b0621"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wmdmpmsn.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e20bf836-d1cc-4bc5-809d-56fae5cc3750"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>rasautoe.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f519fe0d-64a8-4e78-b7ce-b61e21d8e142"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-408e3371-1e28-4c70-ae9e-22346bff725d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>142848</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6680c8c8-94b8-4726-b044-276122132188"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-02-15T13:49:01Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3a43b6c8-25ec-40c6-a371-527dc3f09157"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Type>Mutant</WinHandleObj:Type> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7d448a24-25a1-481a-85bc-a31f68d1f541"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name condition="Contains">AFX_Ideas_H</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3601a1b3-1400-4eb3-84f4-2fab1cecd8f9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-37bb84d7-4b82-4d1a-9d0c-14870b79f506"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name condition="Contains">ServiceMain</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-16eee0ce-73c8-4a63-a534-5b06963450ad"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name condition="Contains">install</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b3f26321-571e-421e-862f-d418e19bafa8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name condition="Contains">installservice</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a1adc445-7f63-4f5d-8b07-06e550d8ddeb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name condition="Contains">uninstall</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2d25335e-80b3-4b05-bf29-cd4051d2d9ce"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0299307f-b6d6-4e33-90c8-640699ab078b"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">currentcontrolset\services</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>system</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-63f8cb7f-2bb6-41a0-a20e-cb65b7df03e3"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">servicedllold</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>parameters</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bcee073b-2aa0-446d-9df3-2e60dc1ec4e1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0df42947e167cd006b176d305c08d57e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f784a8db-f918-4317-9ca8-b727d45a1f02"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>024fd07dbdacc7da227bede3449c2b6a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ab1f1988-84f0-435c-9705-e2560fc15178"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0fed203f3df6a82c9124f24aa3d9d75d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d1a3937b-b842-4bd0-b440-10933e38cf51"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1f9b32bac55ba4c015181ebf55767752</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bf1e5c90-7411-4cf1-952d-3cb8957edcaa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>225e33508861984dd2a774760bfdfc52</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-65958046-17f0-4020-ac0d-cfb3f162e6dd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2479a9a50308cb72fcd5e4e18ef06468</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-58f61fa4-27b6-41c2-85a9-fcf42ff1d4d1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>255cd53f9bdb6f3755e621885cb34382</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f9e23c6a-6d57-4454-988d-6277c01b9da2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>28dbd86bd86eb9153ecb20d883c41ae0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-73064b86-b3bf-4e8f-ac8c-4328cfe8e27a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>335df3ffb8cee61c20ab91a401204df4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c16f0c10-cbcd-4887-962c-9f69203e2464"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3d0c1dc5ac55f6d0e6b7fabfeb5158f5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ffdd76fa-2a4f-4c64-8567-d34437fc95b8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>456d298649a7ec31a7250ed9312ebbaf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f6abf31b-046c-4b97-8a2c-e2730c5d1c02"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4cabfaef26fd8e5aec01d0c4b90a32f3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7b73a5da-b774-43e1-9009-3ac306998c40"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4cd3bed14aaffcf61f4d2948484c4c90</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d621b0bb-3752-4bbd-8cf1-e02f28359314"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5613e6d7111b327307c02bec1701ac3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b36c8593-4b41-46b3-90a9-ff2c856869c1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>580a4c05982accc678a72c366b45815d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b8ff6f03-aa00-4b25-8f74-251af63ef7a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6461ea41f179e660c40ed65aee1a4a2d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cb0e98b4-0169-4058-9541-edcdbead06ae"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6510cee34da30c7ef5e5e39980402257</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-af556b1d-78d1-4740-92ac-4a5fe8723a74"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>69dc1e1ee273e531e91c60eb86396cc8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6d5e4516-3d05-4ba0-934a-6b080110fd1b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>75372eb37415140fa5464f1ebb8a0e74</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ca304672-8046-4f3b-a033-d38d845f6714"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>69dc1e1ee273e531e91c60eb86396cc8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6cdcf31b-efe4-4b9c-90cd-87761deabcc0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>75372eb37415140fa5464f1ebb8a0e74</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3e2422bd-fd0c-4575-aec9-5a4c0e6d8f84"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8c57b287a1d2140ccedd6cd097d62ded</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e559a0ff-4275-48da-bb2f-d90a0d75d0cf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9548e5ed4fbacd0ed4a9d6a27f5d8fec</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ac310004-4ceb-41db-8f7f-8ea4700923df"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>97c83d85bd76a38b13cea960a1a97f70</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9c209bb5-f2ab-44f3-a518-f89763c9b66a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>99882234b814b860a22b4d441b92fd82</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7ad0528d-91d9-40e7-8d01-920ca28cc8b6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a360b16c19ab9dea6763f777257c5f38</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-456edb39-0d5c-4adc-ba8b-278d7bed0cad"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>abff707cb54a6e5a9fcbb3fef74dbddc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c29c9ebe-4506-456b-8ffc-3d2cbe4a5e36"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>adb2fc194b960e694aa450161f1df6fc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b2b647cc-befe-4a2d-82a9-64b5518b78fa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b36168ea438520875c621f5603db003f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4de9455d-b4f8-4fbe-b706-101511d6adb0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b7dba6184f07b1e824362a2307d91ae2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b2cf2de9-b2e6-478e-8260-696c07f7c858"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bfcae0468de0c7bcf92e9989589082f1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-07acd0ad-effe-40c1-9143-b59ee65cdc82"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c425b8782075da33cba5aae5ad612582</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-61ab04b2-835a-49e1-b48f-f2892a364a70"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cfc6112254a69030521d0d2bba152d4d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3bfabbc3-2613-4e70-9864-55928eff4046"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cfce9478c880934b3548c3022a956e14</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ece468aa-3ae7-41e2-b655-82c9bf7ae315"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d60ee4a39667a733c075bb7f7b36285a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-09c0befb-e39d-4ce5-9598-b079759eb60e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>da5ff7927d608d7ccc7495939d457bd3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-461423f7-2d3d-487b-a28e-f809412cc841"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea8b6c2c083d6b7b2b6ebc015b0488ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3c52374-9e6e-4d0a-8eb5-0f8b0bf2b600"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f3b54c188185ee0921848b3a6ad4751e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-de464108-ff1b-43e1-9a9d-a2fa3a0cc48c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fade2270a6c7cb47893ac600a9a0509f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9b46173f-f99b-4fd4-9ede-672d412f9274"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fefa3638e4d6f2e00b5194ae3fa0c931</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-37f16d0e-697d-482d-bf13-2f747f849b54"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Description_List> <WinServiceObj:Description>Depends COM+, Collects and stores network configuration and location information, and notifies applications when this information changes.</WinServiceObj:Description> </WinServiceObj:Description_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d0c8e2c2-cf76-44dd-afb1-fcb042e5b830"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>9728</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-099663c2-ecb6-492d-8fa3-5868277c0ce5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>10752</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d9b5ddbb-4673-4a2f-855a-65e4a56ca940"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>13824</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fa82306a-4865-4811-bf4b-8b8dab22ba04"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>5632</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a7e7340-2701-4635-90ae-335593798d87"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>8192</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f9da710e-16aa-4155-9649-7138eb6f706d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>9216</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5efbf792-7229-451f-bef1-3580de79d99f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>13312</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bff734c9-fc24-4a98-bfa9-97aba5a23ab7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>14336</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-11613394-2a83-4e3e-a371-1a5209c2545a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>15360</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8e305cdc-46cb-49af-9072-e1687ecd6535"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>16896</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ddc8685-a57c-47ee-88a9-9d6caf2ef3a9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>17408</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e272e639-d854-48b1-85b4-729d1f3412e1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>24064</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cc9bb9f9-a23b-4515-8335-21cf84d3144e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>38400</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5fc9e99-316c-4ae8-8f3e-84772f78898f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-07-13T07:46:05Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b829355c-8ac2-4229-8880-922a66ffa047"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-03-31T15:46:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a99942e-d13d-47ef-8ffc-61f123f8a5dc"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-05-17T01:04:15Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dd7dbf24-1aa2-4191-81eb-a0021aa207d7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-15T09:43:38Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-87dc59c7-5a89-4076-acc5-efe198b49386"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-08-27T08:41:19Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7dd519d0-093f-407f-b464-ac494065beed"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-03-12T12:39:30Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1f2ecedb-7b3b-4f93-b15a-34019332a313"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-06-16T01:00:08Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d19ffaa5-d99d-45e7-85cf-f4faf0608147"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-03T03:13:08Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-165af123-f86a-46fd-97d9-52291b7d5017"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-12-14T01:09:51Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d8dc58d8-bf6d-4001-bd27-075dafdc0459"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-09-28T01:00:25Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-24a7c3af-87f9-4924-8e72-6a42a3b805fa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-02-24T09:37:56Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-93015983-823d-43d8-85a7-fb8fa98cf7aa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-16T03:27:48Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-140916f8-ff79-4551-8961-8e859cbebd84"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-08-11T00:24:48Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c828af97-234b-4fd9-9798-904962074ee4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-20T06:57:31Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-32ee351e-454d-418c-98e8-9b7d8ef8127c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-22T12:38:38Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f963988d-2e86-4acb-a573-a4e762417934"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-09-18T00:05:50Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cbd3d3bd-d8db-444c-9269-7d6b3251ed0b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-09-25T08:39:16Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a0383e59-8359-47bf-94ab-186146bf6607"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-10-11T08:17:47Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-261f110d-fa04-4ed1-95e8-8c90ff010652"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ersv.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2ed2480e-1ba5-4fcb-a039-c0ded1145a0d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>esrv.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0d2e918e-637b-4abe-ab70-a8e9203bf4fa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>eventsystem.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a0b7a583-c221-4133-8b05-bdf11fe9c3fd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>eventsystem.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cbcf3f56-bf7a-4f53-8ca3-3e7a8d39b3e1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>iexplore.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-68b40394-3e93-4d71-9d7e-e893d61f9a1e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ipripp.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-de395497-eabf-4d17-bbc4-344546d92bf4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>lao.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-412dc589-3186-41a7-acbb-fe76f1af2e84"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>microsoft.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ba4376b-78a3-4f87-96fd-9a5adda26d63"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>n.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-96c5afb9-5e53-4cf6-a9b3-7a75bd7ff859"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>nws.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a2b9fb4d-e28f-43b7-93fc-ddc855e8399f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>nwsapagent.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a7f057f3-97a1-4c7a-8168-28102a68bf9c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1241a277-5fff-4d2e-8805-e71ea2ab1a4f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>vediosrv.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d0079169-d149-404e-84a9-a02387d18b37"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wauserv.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bca5a60c-0b21-42f4-94ba-213bc4bd0edc"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e89cfa2-ffe7-46cc-9b04-abf39ef5adfa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>InstallService</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f99ef512-181c-4b98-8bbd-7331b16951e8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>ServiceMain</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b657df39-9a41-4886-8f41-4bf19c8e1aaa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>UninstallService</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ea45b183-0aed-4345-b536-d87a43145beb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>installA</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8047965d-a942-4e6d-b51e-33dffb2e0bcd"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>uninstallA</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-55ab17de-e022-4a7d-96cd-98b1e6c2aa49"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d6f80663-1fa7-4e9f-aa16-f02dbdc363df"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bdbac1c0-2d8b-4714-8757-2e3f82cd17c4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c377cc91-f48d-4d1a-99bb-656cf3b706d7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1a0c7e61bcc50d57b7bcf9d9af691de5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-15195f31-be5e-4e16-9d30-6f3db6107b28"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a7117612ea6b6fa3307943f5ed21fbb4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5da94f8b-0a61-4229-9649-031bcc12e942"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>62ea10608f0d54cd284e8d7be32f206e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aae5b567-4ab7-4fb2-98c8-cf684b2ad9aa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4749f6336eb86b5fa7029661f88ded20</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-27b93d21-246e-4a67-b099-e105dec428c3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>be74bf5afd4ba64cc8ce237307e9254d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c80c0b77-8f85-444b-8b25-91cb89daaf23"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2b379d5346ffd386c28038630a9b0292</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bba92888-f287-481d-afa9-f41c1f2324d1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0d0240672a314a7547d328f824642da8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-95724da5-c00f-4aa4-98e2-811d28dafe35"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f1eea61e49a3f86e95836d1c9f67e074</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aaad91e6-b2d7-46d8-8e26-afb74292e14b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5790c7c09735cf1ccf10625c7cd87f5e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-75bcbb10-444e-4af6-9ded-45136b5b2199"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>656baf38fa5ee776e2576cead664d004</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ab0ff0cb-b591-4dbc-852d-0b6c023738a6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bcbdef1678049378be04719ed29078d2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9dbcdf25-be33-4433-9451-cd1594895c2b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e9df2f69ed3d9c895ad9d399eaff1bc8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-17e0c2b6-f87c-4ec9-9535-5e4e084a1659"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0469a42d71b4a55118b9579c8c772bb6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-60ec0c3f-9729-4a8a-b34d-732951737b77"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9e860622fee66074dfe81dcfcc40c4e2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-43633d51-6eea-47f8-bb88-2b612cc8bc1e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9ecf9d5d8872fe55ab120265c3749ffc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f1d15860-1f3d-4617-8f48-3be336bfa1f6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6c5c5e4049265fffc87973f3e4978b26</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4fd558fc-f3a9-45d0-affe-b0d751327ce8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d4c1bfc5cd3e33643a562696d5d29bf2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5148c205-0c23-4598-b620-0693e63a4c41"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>11d350127ff1e9ecd665c34326475584</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8fd1c9ac-5b0d-4b4a-a421-072021d1b4b2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d8fdd9cfca25315635378dd2564094ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ceb7a04d-314f-4436-8b11-9bdfe200e22f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>082cc969b3eb6786e3e951b450b8de0d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5ee5573c-3833-45b6-a5a5-d52846fd6eaf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0cf8259502d178a099ab2852e2bddbe1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a80e6d7-fa63-446b-82d6-9c45c250326c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>17199ddac616938f383a0339f416c890</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d4ec4576-ff12-4456-8ccc-248b18672a4e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>sap.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cdc827e8-5a3a-42b6-bbad-e8e4489f3616"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>nwsap.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-46890225-6097-4468-9620-c5572c663a22"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>nwcwks.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b2af7f69-e2b7-479c-a8e9-41f755058158"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>iass.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1fa8eb07-242a-468d-b792-733bdf12a6f3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>nwwkc.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4aa84fae-cfed-490f-8325-29ce00097afd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>irmon.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a51199a5-b5ac-4b88-878f-75df9dfe7dc4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>nwwkc.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-617f3e64-5fdd-4ae0-bc06-cbd12ce8f7f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>iassvc.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b0f37fe1-4464-4e35-b378-a9ce2965f672"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-091bdb12-ebc2-4e1a-a8c4-c548aba4a650"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ce6169d0-3325-46a9-9c98-11cf6f780f5e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>173124</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-90fae1d7-2cc6-4f4e-b471-2b9dea012c1a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>217088</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7f004670-d978-4a24-8431-675d2290bdc2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>217516</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c0f7ed6a-c672-4f95-a00f-71f795282657"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>37092</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-af13e5f2-8cf3-45bb-bc87-21d778b4f26a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>41188</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6350d73a-0cf9-4e3c-a704-5eee07be7256"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>42052</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e4dab820-2e18-4a8b-b8a0-5b1248582917"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-11-10T06:36:06Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1b8c1c7-c06d-4b63-9cd5-d2e7aa87fb21"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-11-10T08:29:48Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-22057da1-b30a-4599-b4bb-38cf23fbb901"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-02-01T02:27:57Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2e42b550-bc10-49d6-a825-f874c6e14c04"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-03-13T07:09:49Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-72a5ab60-1f47-424d-813b-ae65a758e225"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-08T13:30:46Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bd8f33e8-6a47-4dcf-896c-5225c02a8bd9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-08-28T02:17:30Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9b87ccc-5aa2-4554-824d-787a850b7dac"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-02-25T07:48:23Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a0bfe4f6-d8df-4d11-876b-08ef669b4553"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-09-09T03:19:45Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aa1b340c-5e61-4f8f-9f21-8e87e14fdaaa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-10T01:41:49Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5227b863-03a0-40f4-9fd2-8004d33de622"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-12-13T09:25:02Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b206336f-db82-4f51-a590-cf497a53eb6d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-12-28T02:34:43Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-318ccd10-f142-4ab1-a8b5-93f87f1664fd"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-01-10T06:58:27Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-67cb8837-c241-494f-a7c4-f10bac886793"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-29T08:07:39Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b78e17ba-ebb5-448d-8e9e-c120e64f337a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-04-08T02:27:33Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e002b6cf-c28e-402a-b5d0-d4c3e5e69e66"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-04-20T08:04:20Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4ac95aef-22ec-493e-a823-83507bc603e1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-27T07:47:01Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8d538dd-06c7-4a41-8b60-cad319d1ca2b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-02-28T15:35:51Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5d888420-4bb5-4529-a187-d3413ffb84a4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name condition="Contains">ServiceMain</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7b9f4be6-3c98-4e31-bcc8-f7ebaaa7d949"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-862fa956-62d3-4aaa-a150-b40a1b3cdc01"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Sections> <WinExecutableFileObj:Section> <WinExecutableFileObj:Section_Header> <WinExecutableFileObj:Name condition="Contains">.vmp0</WinExecutableFileObj:Name> </WinExecutableFileObj:Section_Header> </WinExecutableFileObj:Section> </WinExecutableFileObj:Sections> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-458b59bf-74af-44cc-9b41-e197cc79bd8a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Sections> <WinExecutableFileObj:Section> <WinExecutableFileObj:Section_Header> <WinExecutableFileObj:Name condition="Contains">.vmp1</WinExecutableFileObj:Name> </WinExecutableFileObj:Section_Header> </WinExecutableFileObj:Section> </WinExecutableFileObj:Sections> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d02c2fc9-6726-4f1e-97e6-20f07fb0bd03"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Sections> <WinExecutableFileObj:Section> <WinExecutableFileObj:Section_Header> <WinExecutableFileObj:Name condition="Contains">.vmp2</WinExecutableFileObj:Name> </WinExecutableFileObj:Section_Header> </WinExecutableFileObj:Section> </WinExecutableFileObj:Sections> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9f4be87c-6055-4c18-8579-9bd9f9d051c4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aaff5b41-1bc2-44bd-a983-e7e854200486"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bea12b37cc1c301d49875595e85b22c7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-460a7ef7-bac5-4457-8dc6-ada51fd21423"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>38c4cc6cdb6d6af2ab7f4308004b78a3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e16f0a1c-d951-4e28-9f5b-b82769c8e849"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>052f5da1734464a985dcd669bff62f93</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f08b5df1-8bf5-410a-b0e4-e1ddb59ba5d0"> <cybox:Object> <cybox:Properties xsi:type="ProcessObj:ProcessObjectType"> <ProcessObj:Image_Info> <ProcessObj:Path condition="Contains">lssavp.exe</ProcessObj:Path> </ProcessObj:Image_Info> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df7d4c5f-4284-490a-a305-184b0bc6c36e"> <cybox:Object> <cybox:Properties xsi:type="ProcessObj:ProcessObjectType"> <ProcessObj:Image_Info> <ProcessObj:Path condition="Contains">suicide.exe</ProcessObj:Path> </ProcessObj:Image_Info> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f1a53a6b-b07a-42c0-a536-52fc85ea504e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>suicide.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-68314bc8-d123-474b-b099-307be8444ebd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Lssavp.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-45be3930-807e-4944-81cc-056f84180d17"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-47b65690-b881-434a-aa51-eaef07b2d1d3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-55ee87cf-467c-45d9-8193-e06417c649da"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>45056</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e4c52af8-1b7a-4445-85f7-27be4bacf0c4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>45060</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-73a5f71c-d892-4314-a09a-f3825878f366"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>45065</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4096f69a-e7df-42dd-b074-5a6d8d3bb7d8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-03-24T13:16:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fc68080d-e355-4e8a-a364-0fa53212491d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-04-16T09:35:24Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1add49c-34fa-45bc-8cba-3bb3b6b94d36"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3fc26910f9c31bd9ba3ccb09132d9ca3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4de1e7fa-5a91-48c3-83bb-3ad3df36f9a8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f81991fab3b7d58d66629e26d21176ed</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-16d2c8e0-8743-47d9-b0ff-11334904bc98"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2198fea94bb79b001fcfd3e03b269001</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-48884b2b-ad30-4db8-8f3c-581f22d62b90"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dba356a4726b94731e6ea97aa73cfc3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8232c084-291c-4708-8621-630359641277"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a44312eb63de002383a57b5a93271cdc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-182b86fb-ffec-4448-816f-e25e0ba3e927"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9f11bc08af048c5c3a110e567082fe0b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1ecb09bf-e519-408d-a92a-4bec3ef167b1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ef349196b0ffef5a02d30413c8dffc7c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-469d5a32-a749-4e77-801f-28c5fe0f0121"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>76c1b246703a10cb6e71a3e5b7b55b24</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fd7d9f58-aa4a-4fa0-bbd5-6ed59aa9a8ab"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dc1cff84900afc9d292b305f9b9aae34</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-22eec523-087c-4b59-902c-b2a5f1df45f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bdd2ad4c0e1e5667d117810ae9e36c4b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-677903f5-6e57-4b39-b290-151ba6e64fed"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>277f95bff2e0fe317f86b5010bd83a18</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e1b5109-1c26-47f3-b27f-e3da4d1bf5dd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1aea4d24f3bd2c51288ad643fc66e0d2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-67dc9478-25b9-44eb-bb64-e7849b9eea43"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d197c388184fef263b7944a7186bc6db</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-69efd08f-e2f8-4cad-8cf8-d223be8ccdd9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>129c6cd9d2aa895cf6fa137fa1d3a188</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f6040ecd-84ef-4406-9997-0ffdfc6532e1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c8d2b7f92fff545b3b19e9b1e1057071</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-05f84536-25ed-4200-bc4e-85854a2520bf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5bcaa2f4bc7567f6ffd5507a161e221a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-99592600-6255-43e4-bdca-68c6e8d1d0fe"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>438983192903f3fecf77500a39459ee6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0a172ac5-81f9-4e74-b7fc-e8fd3b156ff6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>59620925bf1c4f760c4bf225c7efd6c0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5f3ca7cf-f431-4d67-874d-ce0429742120"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bca9bd0abbb31a422458abf521a6a2fb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4753ad6e-f925-4d00-8b8a-93cd9a793961"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>db5805604f84b7303fa04feb18ce8271</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-16ff8b63-7417-4ad3-af39-f5fc3293a81a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0e84132e5ad04351b644b8d8743fc4d3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e515fc4-5298-4835-ac93-ccc29f70c273"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a2534e9b7e4146368ea3245381830eb0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a96fc990-5cbf-4655-8119-ae542b9eb1a6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>04f481d6710ac5d68d0eacac2600a041</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ecaf030-ef79-4a73-9176-cf8add0928ae"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bf0ee4367ea32f8e3b911c304258e439</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c89cc114-47b9-4900-bde2-eed6e36fb1b0"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">devfs</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>services</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4e70e655-7d8b-47e3-87b2-2b78e4d24e4c"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">oseasv</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>services</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-33b87f92-bfe4-4cbc-a278-9f23b62c7872"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>sacard.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d7e3e563-91f7-4e47-bffc-41ed83c6dcf5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>mci.jpg</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8711b161-c87c-49ef-95e3-6e911e29df38"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>dfhost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a5a39c19-de7c-4537-b28e-eecb16ad5a69"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wmicide.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3fb9550e-647e-4470-844d-d3e4afbdfac4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wmiprvse.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f962e45-4e79-453d-b246-9d88c2e3ba3a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>listen.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9be9c7e6-ef4b-4098-a644-a81f62a47a68"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>oobewmiprvse.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-449d46a7-a9bb-4732-ba06-e10eaa0bc64d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>a.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-01d37248-c597-4266-95e1-6aabc1f7c1c9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>msctcwmiprvse.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-11e35c8c-ef8c-4000-b312-040c3e20d217"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>winsrv.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f58b9ef8-d1e4-4c30-a610-cde6f2ee64c0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>adress.jpg</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3768548-3229-44e3-9d18-5db1c1644dc7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>adress2.jpg</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8ba28033-24e9-4b18-868a-0e239729c5ed"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>abc.gif</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9fed2d7d-2f5d-491f-b5ce-0183a298a3a2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>devfs.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6522aad9-947b-4f63-a2be-20d0d0f26a9d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cft.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bfdf0133-a503-4d67-be46-2cfb4be9f305"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7927d9ba-06fd-4a77-b3a7-cb3038d6afb5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-87b67e2a-ca0d-481f-b39e-1837ed188a57"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>11264</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9322946-8901-4d77-a1be-e466fd6601a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>13824</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cb8c47c3-6fe5-49e3-b6c6-2d51ee247717"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>13825</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c348c561-9c3f-49b9-9808-a170c48e5461"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>15872</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-36cfc9da-bf4f-4c12-bfef-2f840b50730e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>15873</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4fdee7b7-190e-4198-a3a7-bd46c5b2dfe5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>16384</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-55820c9e-d099-4e0f-abe7-79d4d5e29ea8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>8704</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5173eec-a8ad-4064-9ebf-8d8991e2eb60"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>9216</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dfb7e07f-0306-4ec0-91be-26410393f1b4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>9728</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2eedbeb8-e2cc-4cd4-9dfa-ef29128b1f76"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-02T07:45:46Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-51c7acd6-9d75-4ed4-a439-48c08b52b930"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-10-27T07:23:52Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-86ce12af-1d2c-4de8-b488-aa1dcd582817"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-11-11T06:33:02Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7805a253-7812-4d78-baee-3f397ecb4ffd"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-06-29T00:31:41Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-79829e8c-e486-4988-8985-72798b068a19"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-08-04T02:47:55Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9e3edd07-bc07-4e7b-a5f2-df985855a0ca"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-09-19T08:33:34Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5a279f6-2539-41c7-97c0-c95e4072b099"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-09-19T08:34:11Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-593686f2-abdd-4550-8c5c-564b1393afaa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-12-06T00:38:26Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8147833c-a9c1-405a-b127-02d64bd9b75b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-04-21T16:30:21Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-47c27957-4181-4db6-a75e-bfaa93aa1e32"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-02-28T11:48:43Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8efe257a-6b96-4e36-8729-1f3694c81b9c"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Description_List> <WinServiceObj:Description condition="Contains">Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.</WinServiceObj:Description> </WinServiceObj:Description_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fea984ed-f114-4ab0-aa3f-242eedd4e9fc"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Service_Name condition="Contains">DevFS</WinServiceObj:Service_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fde7acb4-88a3-46ee-a098-ead6ed6e3907"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Service_Name condition="Contains">OSEASV</WinServiceObj:Service_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1c56079b-e20c-4bb0-a4aa-983bad429b05"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">services\devfs\dependondevice</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive/> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ff1d640b-7855-4b82-8d5f-a3a40aba300d"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data>plugplay</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-89d01fdf-5347-4deb-973a-6014be53b868"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f627990bbe2ec5c48c180f724490c332</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-10ceb470-6f01-4b8a-944c-664851ad8c59"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea7309fa59e9347a0715f164edf6b200</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-63e0fc42-2bd4-47ed-8ec0-1806f476a424"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b74022a7b9b63fdc541ae0848b28a962</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-783c9b4c-e04e-4ee3-a5a3-18222996ee84"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d2c616bf238fc18f9ea0a1643bd2d4bc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-97d31203-6d5a-4568-bf5b-495775b1c5f4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>88c7c50cd4130561d57a1d3b82c5b953</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9ab5d4a3-8172-41f6-ad34-b27086d2fc68"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0ff48a336655869a74611236e6e2d249</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2e19ed14-e88a-4beb-a45f-64f590d81fa8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec8c89aa5e521572c74e2dd02a4daf78</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-07cb9185-063f-430d-b0df-029e31f502bd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>973f4a238d6d19bdc7b42977b07b9cef</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4bae2960-7c8a-4d85-91c5-328e6695b792"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>165ef79e7caa806f13f82cc2bbf3dedd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8ec00ab0-0761-476c-8b7b-e44777b2739d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ef29229f7b633f634db3a5c49a3f4a1c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9f60046a-bba4-47f4-8d4c-c2b24ad0e510"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3f34e41d8ea034e6246ef6426bc91336</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-83dd19a8-795b-4267-ad35-a4e542c1a1d2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d263fed2e1c18f2cb439afcef0cd1b45</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c763b02-2f45-49db-ae6d-df878f9ded97"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>611b1577ba976f76fc01368545bc395c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4db95248-85fc-4ae2-b82a-02a9964f643c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2f5979eaa728550a352c1ffee0b31236</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a11bf49f-f485-4245-bd66-ce583d298dd0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a17bb80ae02c8b003cf69222fa13f506</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-68c9dc95-3c0e-4b9e-b2e4-34b39b9558e3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>02a2d148faba3b6310e7ba81eb62739d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8f0226db-5e50-479b-bdd2-ed876a7eb536"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>24c4ed0a6cc4e9671b72c104977fa215</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4e76fc0c-f5b8-4982-b42d-2cdacc6ef105"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>649d54bc9eef5a60a4b9d8b889fee139</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3916d662-12e4-4e08-9c68-e3567d2882be"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d802a0c3e0c3dcac43877bd488f2b042</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bad6d471-29bc-4b8a-aacb-7ade3253a3f6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>078f1e2c528f2318b073e871f73efc21</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a31ddb74-c0f2-4aa7-8d58-ab3957f92f61"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7b42b35832855ab4ff37ae9b8fa9e571</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-75598d7a-afd2-4f32-9768-5cb702bf51da"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>37df1896ba54e85ef549ccc1a88d34ab</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3f922f45-81f4-4444-b308-3e0d933ff987"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>22d9466d6aab8410bea006b5d3df8bd0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8e172d1f-6059-4d66-b43b-2c1098394b11"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0d678350f05b274844da5d79fee75324</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-abf69db6-2486-42b2-b4cb-7dd045066953"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ba6fee7d4e73752b39a09b1396b69f0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-47074f5c-f25c-4c94-9285-7dd8354bce19"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>40ee45b1343406b6f7ad6204f1af7693</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1c0b8e7e-6839-47ad-a247-a55dbefb0ab0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c3dbd79adfa21706f5451cc68331d31e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7d032780-5f9c-4a92-958e-b1bfc6eca02d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e55f7d80d99b6aacb0c8d9ed46856d25</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6655c7f5-b472-4c7d-bad2-548cf4fa9ec6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c4c638750526e28f68d6d71fd1266bdf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b7db2c18-a757-4e3c-8678-e0703beaf468"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fad92f849e3bbfab211af339eb6a8d66</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-08dd7a96-cfee-4761-94df-5a8c205819de"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c9172b3e83c782bc930c06b628f31fa5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6f2e80e6-7915-423f-8d00-266c3d2d955c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7eedcd6d00b4f08b825b4c134b6d8f1a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7ebbcc68-a66e-4aa5-b4f5-3c764964f189"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>new.new</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a53eb16-147e-44d9-b05d-1639874fd1c5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cisvc.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4743d2c9-bb76-4e66-89fe-ee191ba344cb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cisvc(00).exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9e5cc91d-3f93-49aa-8c5a-4f1587e44fc2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cisvc(01).exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ee4a1db8-b481-4917-a571-dd42f67ce452"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cisvc(04).exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7c0bc200-db6e-4f2a-b5a5-05f8f4af74bf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cisvc(05).exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9346ec75-3e2d-46ae-8ddb-d0cc07000d62"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cisvc1.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-66e24ed6-8651-407c-9cce-84eed875b4f2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>debugcss.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8a3d2388-fb2a-4729-a558-887cd499d01a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>helpsvc.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d4e37669-26a0-434c-92db-136716a6ff35"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>iexplore.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-91bab107-f338-4ddf-a27f-30a4c312a6a9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>inetinfo.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d019f76e-8ad0-446c-b9e2-55e8009541fd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>once.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-35ee3e81-018b-4f20-b6c6-cd1d87fc2bc9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>spoolsv.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fe35e708-0ad7-4265-9cfa-1c1a95dfff46"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>spoolsv1.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6dc2762a-2537-43f6-82e0-83aa2c5d4f3b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>spoolsv2.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c54ed757-c625-4793-85f9-cd252d27766a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>spoolsv4.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-64b68c63-4e0f-4554-b2dd-80c69bdadee9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>spoolsv5.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a176b0e-a5ff-4ddb-b71d-409ae64f6421"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>spoolsv6.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9af90e26-5f6d-4d28-999b-1ac2e0070daf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>spoolsv7.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9ef8f35e-126b-4a82-9363-18a6c58f7a1c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>adobearm.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2f405b26-4ed9-42bb-b2df-0b2f72f84e0a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-520dcdaa-d471-4e30-9357-9f2a2de998b1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4235e966-ca89-4152-bad5-3ccda3d91b7b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>10233</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-98450866-adce-4de0-a983-9da010d69773"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>34250</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4fad1b1f-da0f-4fa2-862f-0914d1acda36"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>34304</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9321d1b2-d7d7-4280-82cb-8f509f08061f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>34305</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3e0d5906-dc92-44ff-83c1-a3b5d36a5a23"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>38857</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c88f9908-09d9-4edf-88a1-d145a58dbfce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>39369</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2086c397-aeb8-49e3-801c-c6cd8f2dffe1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>50688</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ac23a385-168a-4417-866f-6f77bcf54c17"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>9728</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fffcef61-8d62-4087-9547-1646798e6795"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-08-03T08:29:29Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1da4e5e4-add0-4a14-b068-9226010ba200"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-02-11T03:27:04Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-89a1de8b-8909-40cd-9550-40fede1c34d2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-07-19T01:55:13Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9821754-15c1-4c1f-ad2e-03b6afb37dad"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>createpipe</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5dded4ed-ee4e-4a14-96e2-c6d88765f6c9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>peeknamedpipe</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6580689b-fa05-42de-b122-b2aabf301ca3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>sleep</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-88bdff38-0be0-409e-8587-4d96d4493e35"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>getsystemdirectorya</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a2cde4e6-e17b-487a-b6fa-d5d8884b4084"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>loadlibrarya</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c4ba9bd-abc0-4fb0-b6aa-fb4fa34b8b9f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>writefile</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-869563a4-10ba-477e-8c13-1c27ec4968c5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>getlasterror</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df849d44-e90e-4224-83f8-da506a119fec"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>terminateprocess</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f08e1658-4af5-412e-bf4d-a85a78b00c4b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>getstartupinfoa</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2da915b4-8247-49d2-a55d-17c548c37675"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>winhttpclosehandle</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-37f1e8c5-9356-4435-8e4e-ae84da188dfc"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>winhttpwritedata</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d663e045-3be0-4140-9ed7-0844c2a47403"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>winhttpqueryoption</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-43b83cf6-f932-4d87-81bc-bf4ec5d85887"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8845cb5b4e450cb10a3b6ca41a9b4319</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-088f65aa-e06d-4a8d-892d-31d3db8499b1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3de1bd0f2107198931177b2b23877df4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9055cf95-35e3-4e9c-b628-e30d72704fd2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d5fd1ce9189cd54f157d691e317c0821</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5d2e783-fa76-4737-a1f3-c26a31779c18"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>15a33f8fe11b94bdd38bff651f6a5cd1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9063d6c-7704-4fbc-bab6-a01b333fe300"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>GTalk.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4476d37f-d9c6-4d6e-9f55-ff026e152fef"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>googlehelp.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bdcb3388-374c-4ac3-abaf-1d4afd7a9173"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>iexplore.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5282e97b-24d0-4152-aabe-80070dfc1b0a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d15737cf-e233-47ec-9819-9edd83716ed6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>353792</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9a4ca9de-bc81-446a-ae17-6869eb21c60c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>357888</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-43c2ca55-e3fe-43ec-a950-d610a5b293a0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>529004</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a787a4bc-d945-459d-8ab3-efea1265359b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-16T09:05:19Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-53751ff0-4533-4698-a1e3-5770b4974adb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-31T08:26:57Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d92978d0-d5b5-4e87-a1c9-19ab6efca287"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-05-28T16:04:29Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3911ad0-8cb2-4edf-beab-95be9455af49"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4ab62c8e525bee410cd4b6cfeea7d221</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a41070b-8762-4792-82b1-9b4f8db0f06a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c4f144febf16ff8f36df15353d5347ce</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2ea1ff18-ac07-4243-87b2-7c82ef783c8d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2c9c691e15a48b20dbead0a6d6bf0300</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-93d11fa9-9587-4590-b1e8-aebfb5070176"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b8277cce81e0a372bc35d33a0c9483c2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f968c97e-7999-458d-afc2-4e928e39984d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fbde5068f85ce0aac2e9ff387b5f8c06</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-185da798-290c-435c-8994-43a7645a575b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a2cd1189860b9ba214421aab86ecbc8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5fe0deb5-bbab-4b83-80da-7a63d92a2e25"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a7f17c75519fb8a39d37c47617202b05</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-51655287-cc79-4448-b203-6b61fcaefa13"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>af2f7b070245c90bd2a0a0845314173a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1f71c3a6-dde2-439d-932a-855e91b438a0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d8315c114107b7418c32f85e263766b7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-70ddfe18-a63c-4235-83e1-6b7c9a5d3e38"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>33e9ccd45ef133b2c100d5a4f50635d5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d26c88a1-3b1e-4f19-a9f4-ad16b50dca0e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>438401c9ae36e9ed1bf4f410ae116484</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d9fef6a6-d8ad-4bad-acfa-7bc1f49c5d73"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f65eee78ac150924cd37c7f1f3c96518</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-012ba2a6-2b89-4de3-bcb6-7b7c34e7bbee"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>71536d2e95420c55412c12dffea1a0a6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-73eb05bb-beb0-4586-af65-56e3e3e41581"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d271ae0f4e9230af3b61eafe7f671fde</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bdf5bfa6-bd90-4bbb-876e-4a48308c5ca5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b43266a047b2895399f4883cfe37c089</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c59164e3-4b60-45bc-bf6f-7f80313389ab"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>270d42f292105951ee81e4085ea45054</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-62fc2294-a87f-41d3-94d6-bebc5a2e8c40"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>87efe3671ef8f1eca57f2d8f7e4711d9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3e02f3e0-d53f-4317-b860-a81caf177ffa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d4c7f1f80883412f9796f1270accff50</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0fb0253e-2883-4895-b750-25fbbedcf275"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>523f56515221161579ee6090c962e5b1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1dfcc05d-4ced-4f92-b7ee-9c61c247d73c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f07ac0b4301fccbae233a44e07a2a634</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-35bdb3f9-ff19-4ac6-b4c1-b7d814c865ec"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>effa99ea879e5be518f242d5820be070</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f8cfd20-98c9-4ee7-a5d5-02e401584dc7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f172ff6b65140f342e6ee51966ea3c4c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5afa6c58-2164-42d0-9f1a-261d94f5fadd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a639f598d4c0b9aa7a4691d05f27d977</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3e0db3ce-eb78-4bb8-90df-10a9951bba96"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0496e3b17cf40c45f495188a368c203a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eed26f95-dfad-49ed-95a8-8946da5e956b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>215df0c319b98dad4f202849b097f8b2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f93bd770-64d5-4d98-8c5e-51ceba961fe5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>02c65973b6018f5d473d701b3e7508b2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df0abe73-e39c-4729-b6de-07eaf809a06e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>10a68e08c514d3b69296b0eb557d822c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7917cbeb-d4e2-4400-aa6f-97354ce65c12"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>933b11bc4799f8d9f65466fb2e3ea659</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a033aebf-5941-48c3-8246-aae43646a24b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ef6c375e3e6930e2b50e1e97fe6fbcc9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0cbbad3d-7e46-4131-a7cb-0015403d8ec8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3f33c0dab564c35485fd227d97b98443</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-71f7afbc-5d7a-40fd-8814-5afb5ebe1fb9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>815a89041dea3e56348f8f5c8b7d1457</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b76f0180-171b-4289-975d-0b297c611b01"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fe5ba680a96757ff232d4bad9c0db2b8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8b65e6cf-c8f9-41cd-86ff-63486bdd2fff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b5a430a0696b5b25ae6b4fa5cbfe3333</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-77ee611b-ab46-4f0e-92cf-264f18642f06"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1fad25d4fef631f8ec3115e0944e4621</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e3de49af-00d9-4b94-ac5f-98f75ab97e78"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>99a29ccea951a950040f3944abafed40</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fbec69a0-1f16-43f2-979f-0c1d8b0d4754"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>baabd9b76bff84ed27fd432cfc6df241</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f8a291a0-e468-4f0a-91c1-ec6ad5f09ae3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c6a29993234488fcbdcf45668eac9c47</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dc175233-c223-4aa9-bb4a-894b3446ca06"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a4ad7335aa391519cc5fc9140f2562f2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fad82e90-a9d0-4fcb-b01e-a5dddae5b4c2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3d328395d0cefc67e2909774125196b1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-664459b1-7ccc-49a6-92a2-b092bdb9405c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2c49f47c98203b110799ab622265f4ef</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-64667921-3dda-4be3-99ca-6aba304f39af"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-15bb1783-edfb-430f-b63b-b8665a6f258d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d90d60e4-87cf-48c7-bdfd-b77bba56c16c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1f119b4a-52d3-4f96-8887-26f21242494f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4134706e-76f2-4c67-b48a-af500ad938ad"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1a88042e-a9a4-4583-9232-d4b95e5c2b3d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b01a8db-9f22-41e7-ae85-52d54e798df8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-368d660c-f57d-424c-bf05-ef09ece30753"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ed5b1f55-5489-4287-adc0-f9b46eda97a6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>NETF0.EXE</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6945b6e7-0eef-4309-a0cf-4a92d542dffe"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>net5034.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d9ccf118-d55f-4783-9103-f76b6e4fcec4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>net5024.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-354ea984-7522-4960-a761-b309d326b200"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>JpgCommand.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0eaf9915-dad4-4b8f-bf86-dc0bcec7a33a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Post.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7c72475f-d056-4fe3-ab73-101611d9e050"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update.bin</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f753149f-e72e-4051-8be1-1d48ff7b0985"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>smartnav.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2814c58c-f469-42d4-ab8f-5782b6e843ee"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>WinInstall.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4b2bbb39-4382-49f4-9fcb-40ad17fcd3d2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>index2.bin</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-317492f7-6198-4017-a686-f536529c7da2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>setup.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-74afe37d-2e69-4269-a1a9-3cdb502e3a4e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>updater.jpg</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7c02e0a1-28db-4aba-8d8f-2a9d8fe1db0c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-83603ffd-0fe3-442f-80a9-189d05cc883f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>shift_proxy.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d268af83-9f7c-43a2-b67e-031bfc677e06"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Post.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-990f92be-e5e8-4228-9f30-f008d16bf0f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Get.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-80a87446-3744-4fc9-94c2-c0ff8927a146"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>NOD32.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b1e96379-f0ad-4eed-bbf0-4e411ea27185"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>shift.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-af0d3664-4b72-4db6-91e9-ceccb5fe5f76"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad4a59b2-f8b5-459c-85aa-71f4367fc442"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c618866f-3719-4d77-9b7e-eee12e3caa8e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5d0aebb9-3281-4b02-a25d-d997c3bb3aae"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>12800</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a018b42e-25cc-4604-bb73-b2e9419ecf8c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>12801</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-32d2da10-ca33-4a29-9a24-6c4158d94605"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>13068</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-71d80966-1323-4030-b34b-13d82973bb0f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes condition="InclusiveBetween">13312##comma##14336</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-428c2847-6378-45db-88bc-005927e9ab57"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes condition="InclusiveBetween">21177##comma##21198</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-07144b84-b05c-4608-a484-cf2886e88181"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>21504</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-58e4af5c-9583-4fee-994a-5dc18cb1aec5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>27648</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-839b8651-a985-4816-b8bb-ad30d57400af"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>28672</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-34015cfb-ae38-4697-be62-bc016557ee06"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>94208</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b4555884-e09f-49d0-b6fc-f63c16711a03"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-04-12T09:14:38Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-76ad1132-f79d-408f-8390-939ed7982c66"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-25T03:44:04Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d02a4d17-ec99-4300-9d2d-c9aa333b1d3b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-12-21T01:39:02Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-098ede67-d96a-406f-923f-c6977813832c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-08-23T02:17:20Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-37d0769a-5dcf-4609-8afb-90595f39d77b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-10-27T08:43:39Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5f80571-4e93-4053-9ac8-a25776622693"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-14T12:37:41Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df4d6419-524c-4b89-8218-0b7c495b4305"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-20T12:49:04Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-73837ae9-5393-437d-947a-a4d4a17bf964"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-01T06:48:36Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-151873b9-8598-442d-b96c-799dfb497cad"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp condition="InclusiveBetween">2011-08-05T07:10:09Z##comma##2011-08-05T07:14:55Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f85062a7-3934-4d0c-86b6-bd5032fc11dc"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-06T08:22:03Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1868f15b-146f-4c7f-858a-53dbcc900133"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-09T09:22:09Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d1b9483a-c326-4949-8044-c7c39c4b6cfe"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-10T01:28:55Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-857dc5fe-24f5-4b0d-9c38-69e28ea5fef9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-18T00:58:17Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b41f646e-1781-43ed-9ff6-54e72acf50d5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp condition="InclusiveBetween">2011-11-21T12:36:14Z##comma##2011-11-21T12:36:14Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-88e7ee9c-16ab-4fbe-ae99-357017dae33a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-02-08T14:53:36Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5920dff-f203-4c72-9031-748b433e909a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-02-16T14:13:15Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b2aa045b-1b4e-4d8f-9d85-6b79e37fdd92"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-02-20T14:27:02Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2240b2b1-60d1-433c-8553-2ba4fbd5234a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-02-22T12:41:37Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-328f45ed-58bd-4475-872f-59223c705fe9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp condition="InclusiveBetween">2012-03-02T06:26:31Z##comma##2012-03-02T08:45:11Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-56ba3bad-7aa7-4f3b-96c9-c4e59a64d1d2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-13T02:21:54Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-67ca1d0e-4554-4b30-938d-01bde2e478a0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-04-11T15:43:07Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-903f9f1b-4f53-4677-a457-0fa90cde0cfa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp condition="InclusiveBetween">2012-04-17T08:27:25Z##comma##2012-04-17T09:32:54Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ff68ae15-306d-4e5d-a7fc-880f42b2382f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-04-24T08:24:45Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-977f8b7c-7770-4e13-94b4-34b1e5543989"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-29T07:38:21Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dab1b4a0-46f5-4170-9d03-202dc2f4d5ad"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fa65191b-3f33-4f9d-b338-abeec6467f30"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-50d28e11-daca-401f-b06c-cf97e79ac644"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\temp\</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c67ffe5f-bb76-4e0e-b597-a6f135c62e44"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>temp.tmp</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-99590a09-5285-46fd-834c-f7849726fe7e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>photo.jpg</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-da1079ca-df4a-441b-948e-1a573f676689"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>display.asp</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-087e6bd3-a429-4779-b688-4e32e6d74a48"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>backsangho.jpg</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0bd6f414-d5af-4a85-bf84-377abb903c21"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1c7538951b21d93ef7ecf3fa94ae5c5e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e7257d4c-a18c-4e83-be75-b40a7b739d19"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>052ec04866e4a67f31845d656531830d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5e7f8377-891e-4d53-aa40-9d662477d567"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>016da6ee744b16656a2ba3107c7a4a29</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df2cea97-90d2-426f-930b-b783f49ee095"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b47e5d095be9fd61016817359f6c2887</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b73ed629-7f0a-4ed2-8ade-38f2c4061dd4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2af105519133baaee57c9ade00543de2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6de65dff-bc02-406e-8776-e70e287dd597"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>83b3711c32d28a87b173e7e5aba5f826</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a2f2582-73a8-4a06-b52b-c589bedda1ad"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e6ff0431a9a9028808efc582405ea7df</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f384c66b-37ac-4acf-8d72-55b04dd6a9c0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>79841c13f645118a600d19def3642d1a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7fd10ee3-26ec-414e-b4b4-878f91436912"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bee9b7835a02973678e9ead683da1ac4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b2e13e8b-952f-4a59-be04-dfdf5eca3f8c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3cda17269c246a2e3bfcda6fa02fceb8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9f05433-78c0-4082-ab10-3a78b7ab2a5d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>16e53c619803d0068611bb6d448d1d49</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-976eb5ba-0810-4afd-a3c1-2a04d8e9c2c4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2156942db0293565c9420c1e254a2c32</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ca570199-0523-4f49-bfb4-a7be03752326"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>001dd76872d80801692ff942308c64e6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6a9a8058-7045-4722-9d07-c778f29691c2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f02abd537e481109142b6170933d1b3d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-82c4f0c2-0ab2-456a-852b-48a768aa9dee"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>002325a0a67fded0381b5648d7fe9b8e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d108d2a2-e41f-42ac-aa6e-42b23cc74e93"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7f398b00546c3a0946cd6142c308a556</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-22b11880-c237-480f-ae52-917a7ed55566"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ef0a6c79f99a537f932a5e64999972b3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d171f8b5-21c0-4c5c-a3bc-cbe127692c0d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>86b68ad2e9c33eadf134285ea142ccc2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9ab45d6b-565e-4b64-b93f-b23e687937ae"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2f930d92dc5ebc9d53ad2a2b451ebf65</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ea867aab-ee81-42aa-a6f2-2b7515972a4b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>68d2fd5049e70942d164e4e25d13dd8e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4e840329-9123-4119-9ce0-1fca6fa7c3c4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8a86df3d382bfd1e4c4165f4cacfdff8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5dbc4c91-60d8-42d8-b1e7-b107c6fd80a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>99a7e4a01b813b9b26ba76bf0b484742</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-66cd7040-0c0d-4d63-8b74-b6f9b948e1ee"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>55886d571c2a57984ea9659b57e1c63a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-17bae05f-e5e9-47f2-b1f9-9d6cce455b19"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e87051b1dc3463f378c7e1fe398dc7d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6fc8e033-46f5-4457-b09c-72ef013d8d01"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>reader_sl.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-330d109e-d67d-400c-8782-d419d8c8fdea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>httpmm.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cdc14485-a104-416a-a6e9-b5a0053b4e14"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>adobearm.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-432017a3-cf8e-46c7-9c2b-9abd9347aaa4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>http1+.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c4f91ef-b91f-4214-b8e3-d0093dc1d713"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>http2+.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-47462879-ba51-4c06-b184-ac6f24fde5a7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>http3+.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f780ed3e-99a5-42a6-b87e-34239a9e9f98"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>http4+.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-085bdd85-79a6-442b-982e-728cec1f0edb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>http5+.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9788ddbd-d0f6-4775-b4dd-2b0824f23aef"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>http6+.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d6d47b03-1b98-4da1-8947-ec1b39571d67"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>inetinfo.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cad6845d-48ab-4dba-80c1-11a4d24287fc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>setup.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9cf44dd1-bc08-4ce1-9c3f-5cf36d2e9554"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>setupaa.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ee53f8a8-b073-4a23-ac53-5a2bcc248c2b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>http1.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-13944004-8d57-46a8-9095-7f3627028bb2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b79b4e26-9906-47b1-97e8-7851dd4ca153"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-04f95431-b14d-43c2-a469-76ec2dfca5d2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>26085</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5ce072f5-455d-4457-9a55-e43f796b05c8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>26112</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4c60995e-0101-422c-aa6a-442bd4c72274"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>26624</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f23cad9e-d703-48cd-bdf4-6c4c51587d1b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>32734</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-efd2b400-30a3-44e4-b9c6-e998bf1bd7d1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>32768</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8791f0d6-eb97-4dbc-bd90-bacff1692af4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>33792</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-58428dae-3ddf-45b1-b9d6-191fbf15386e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>33829</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-77056ecd-8481-41ba-8a52-f6ebbb2f4672"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-10-19T08:15:54Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-18fa2007-837a-4d7f-a497-4726d84e5e63"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-10-20T03:05:15Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e95325be-a318-46f2-a3f3-3666164bd40d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-02T08:35:56Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d3ae8857-2edd-4c7b-b030-97e02aff3d93"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-04T06:07:11Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fc57d943-b0a7-414e-aff4-06c3dc1dca8a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-01T02:43:26Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9a29dd0d-ad67-42eb-9e3f-d2e7e485099f"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Type>Mutant</WinHandleObj:Type> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a91296f4-e0e0-454d-8fae-a8a55a77e457"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name>letusgohtppmmv2.0.0.1</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-79abb1a5-bbf6-43af-8467-532f71c6dd87"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>73a63c21a08b0ad2c69999e448f8e6a1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-04e77da2-5b8a-412b-a399-f469ec0e04b6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a4903f7c293993069f865468bd7cec78</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-00351da5-c885-484e-bc72-aad44ed08e51"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0c28ad34f90950bc784339ec9f50d288</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7bd94800-81f8-4dfa-b249-03d98b0b9606"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e6c25f9994b723d39c785ddfd38a31b8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-33c801e0-2c42-4dd8-b596-2db00964a928"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6ab7fa8e5fb63b8d0723387d0a1ffe6d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-59522153-7522-482b-8bb6-010211a6737a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>989b797c2a63fbfc8e1c6e8a8ccd6204</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0b06b091-69d3-4914-a234-bdf613539c68"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0cad42671e5771574df44a23b3634f32</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-db9d2702-a55a-406e-9d02-46afead92b6e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>57326cd78a56d26e349bbd4bcc5b9fa2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f17fffc0-839f-4ad1-8d74-0db32124b8e6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>543e03cc5872e9ed870b2d64363f518b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-81a255ee-0927-4ad9-9fba-9aab5e6cd76f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>db2580f5675f04716481b24bb7af468e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5849c3c1-d099-4733-b03e-8c56711194d0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>687a58dcbc076b04bef4ec6050310fb5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f08759f3-d4cc-4309-a7e2-8c6fdbbce80b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>609d917a7f0c526b0d8091c8191da376</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2ccebfa9-1eaa-460e-9341-8a96a2ff7a2b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f9a46d5024c05a827912a89ca270c553</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f547229b-7a04-431e-b56b-09ac98678697"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a311516cdf06d3db4f49e67da5213ebe</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7215d193-972f-444c-aa18-a61daabc04a6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f3611c5c793f521f7ff2a69c22d4174e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1343674-dd87-49a0-a4a3-a27d0818dc18"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c21591aa72ac72872f5bd05bbca5e4da</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b7c91545-2a05-4b62-b1dd-1fb71e82ab89"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e72fd40e47e232496b303734f1b2b11</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e3b2626b-c7d3-4a44-a824-6bf850243237"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>321d75c9990408db812e5a248a74f8c8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ff943c0a-9e58-4386-ad14-34015d84e415"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>126976</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1440d9e1-ac2b-4070-9c52-18c09764e9e5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>131072</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3439977d-e115-4d8f-b132-0ad1d43a03f9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>151552</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-710c48a6-5469-4bd4-92eb-e42e88513684"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>152064</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7141fe94-297a-4e1b-84ae-27750d6ca75f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>167936</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-084208aa-67d9-4c4f-94b6-f6473e2d2145"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>64000</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c0e76f51-65b3-4674-8f40-0e9f3c0aad5e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-03T08:09:58Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8e459a03-786e-43e3-855b-e20e6335e26b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-07-18T03:10:56Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-925a2eca-69c1-4ffb-b40f-2cacb6b7a5cb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-12T01:58:10Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-82dd6cbd-30f3-4cea-a8c9-740a546241d4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-16T15:07:45Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b3633486-591f-4efb-b237-0e4fb02ad91c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-22T01:15:22Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e63613fd-a9a1-4a98-ad5a-fdc220e0441f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-12T01:34:56Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fabb74b2-60b0-41d4-a5c0-36352424c0e5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-13T03:47:57Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a6b24c9d-1a03-45af-914b-6acf27687c54"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-14T14:29:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-01537a75-9e1b-40ca-8f89-9c86be215732"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-04-17T07:24:52Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-351316b2-0c9e-4f14-8378-2c501708d770"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-19T07:21:24Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0c587488-54ba-4632-842b-61bf5f1312af"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-06-11T12:37:20Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-afa38bcf-b80a-47ee-9c0a-2fdf6dba7f9e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>acrod32.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1a17e869-fc4d-41da-b236-9dbcb88d6ff2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>updata.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e48992d-2ff8-4f80-9889-8f35073af141"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>windows.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5a7e8dc6-f0af-4758-850b-0df033d97e1a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>acrord32.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0c04da43-6de5-4333-a254-8242134172c5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>204.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6023b32f-45a6-47ea-ac7c-fbffd35f6e80"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>windows.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2935559c-5d93-4b38-9e37-4e5f2b6286f9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dfcc4c5d-2f42-41c4-9f23-47761e3b131b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>googlee.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0d4c14c4-1429-4ccd-a920-2b2a0d1e41f2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>codeguru.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3eb5f738-d087-4dc5-8163-8223166aa1ca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>google.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7eb89e1e-6d8b-44e7-97ac-5506f6011ac9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>66.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3ad0de3-9089-49e6-8089-e5833e066c20"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>services.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4ffae2b5-e390-4300-93f7-34c5fcc55faf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>data.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f080431e-deb2-48f1-8daf-cc3fb38f2808"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-59a60655-c1e2-449d-b3bd-42a445a7e6bd"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Microsoft\Windows Nt\CurrentVersion\load</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>Software</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3a115c77-5a93-4252-bdd7-5c6d15a72786"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">windows.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-245a22dc-f856-4b97-85a0-7429e8b5fd48"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">acrord32.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-abb701e7-f05a-40b0-8fdd-4b5ffa109252"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">winword.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-66bf87e0-dc35-49ae-9dad-4a9eab4d8e7c"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">google.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8aa681bc-f5be-489b-b449-203212e81e58"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">204.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-07122710-2023-41d4-8dff-a5948c54bb07"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">acrod32.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-267cf04a-b1ea-4756-90ca-442de0f74be9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>995442f722cc037885335340fc297ea0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dfe18b38-c8d3-45d6-8542-28d37227eb3d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8489dc2c1291aa717b8ce81d5bf90892</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-edadff3c-51cd-447f-8ca0-24abec5e8d88"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\temp\updatasched.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dfc0f5ed-e8f0-469a-81c1-86514e485600"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f8190de-760a-430e-b46e-10ac3f60e2c9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-01-29T22:52:49Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3af82cfc-5792-4879-bc4b-69cac7e8a0fa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>19456</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6aec48e0-76df-497c-ace5-477f7db586c9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Lssavp32.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a937d71f-de57-406b-a918-7a2d732bb11b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>WinverSSL.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-45c9f5f6-edfa-4800-adf7-c05a70430c2f"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>Services</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-168d2376-1ff6-42b9-9718-08aa6bce57c8"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">lssap32.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28e9d169-d549-4d1f-b23d-7ca36febe76b"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">winverssl.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-05651fe8-64d2-47b5-a874-3e78e7918917"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>23e371b816bab10cd9cfc4a46154022c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-103cfa65-fa42-41f0-96c8-0ddc0cbdafa7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a810ab506857c933df2bea40ae0eb548</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2277e6c7-48dd-49b0-a53b-53951f85421d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f802b6e448c054c9c16b97ff85646825</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6896db08-5da6-40ba-9245-2a2a61354db8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2f5979eaa728550a352c1ffee0b31236</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6093b5cd-f834-4716-946a-747ebcdbe33a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>24c4ed0a6cc4e9671b72c104977fa215</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b8f989c-920f-47a6-984e-93806bba70cc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>973f4a238d6d19bdc7b42977b07b9cef</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-18ed243e-cac8-4a2d-b507-b5363a2ecc24"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a565682d8a13a5719977223e0d9c7aa4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7fc17be6-604f-4b4f-afb6-f4c6880377cd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7f398b00546c3a0946cd6142c308a556</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0397d8b8-47de-4cb2-864a-599325b84582"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>496f04719a365f9718919002eff5748b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e5d8c061-332a-4269-b47a-e0115b71bca8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5cd578614afb50b925008b68b3accdb9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-81db5dfe-ca08-4323-ba33-29d97a4219ce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>079028d315d039da0ffec2728b2c9ef6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-116c0cc0-aaac-46be-927b-5d19de4b3b98"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8725870a43192cb0176c82012996910a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b99065f7-605d-427f-85b0-3b448510d7e3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ccfb7a84bb87cc8f86ddd260ad38ed5b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c27487c-532e-45ec-bd2e-e535ae07ed67"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0f23d5b93c30681655d8a4258b8de129</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a33e7133-7c6c-437a-9583-8ee69782fded"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9d5aabcda9106132d1e1b6cf6cae28aa</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-370861b5-15a4-4a19-bf7a-bb9616af3a77"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7f26403f8e59a5f2728af2d3e0efaabb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f46f394f-9ccd-4edf-b5a2-c8d4a95b2688"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>70e2827ab4af1a38dc09a02fa95b82fe</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9f53293c-3309-4f71-948c-e3cc1c143548"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dff4d874b2bfc64a4d1805959c379074</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-97dec2ec-a86e-4f4d-8255-e9bdb1a1db29"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8a7764ded8467bd0fd0c30adc2acc1d4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bede4de9-36e7-4c4e-99a2-3b1a7a07e19c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7eedcd6d00b4f08b825b4c134b6d8f1a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-525c226b-b43f-4441-881a-87389b32bde2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec8c89aa5e521572c74e2dd02a4daf78</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bce5d153-cfdc-418d-9fe8-df23e0c3e9b5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7b42b35832855ab4ff37ae9b8fa9e571</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-98cdc7cb-1025-4ccc-8e08-cd0527be057d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6b3d19cc86d82b06f5db3ae9d5ba8a5f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4b05928f-343e-4617-9b25-706e1cfc09e3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cd6c1dbf08d8864b382678284ef13358</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f02a9717-96f7-4748-a287-ad56d96c9617"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9ad292de00b2175a80b5909fa173cdcd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-26006d09-1a1f-4d35-9a18-21785ad5c5dc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d2c616bf238fc18f9ea0a1643bd2d4bc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bf5f8836-b3b8-4775-8de1-23b62b36c079"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6570163cd34454b3d1476c134d44b9d9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e345f9da-ffd5-46ea-82bd-0682a69c8b99"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1f92ff8711716ca795fbd81c477e45f5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ccb64070-590a-4b86-967d-87379102b7a5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2272791cadf422ce02a117a3a857f84e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-49c429e4-c709-4830-b312-5d0bb0c8ad97"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7a670d13d4d014169c4080328b8feb86</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3bc28d73-633a-43c4-875c-c2cb7551ba44"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b145e4d19f5ecfaad45c795aee69c8dc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e8649b93-b7d3-4602-ab29-22443412e013"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>22d9466d6aab8410bea006b5d3df8bd0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dad60ab8-b908-4f3c-b4b6-e748eb0af215"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>611b1577ba976f76fc01368545bc395c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-440f5cbd-e265-4729-8a03-d31f4949bbee"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>078f1e2c528f2318b073e871f73efc21</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5cec6df-5f6d-42a3-aa32-1b3cf57a2f4d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3f34e41d8ea034e6246ef6426bc91336</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-69442a84-08eb-472d-84cb-d78aa05511d2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f8892c6dacbf7ac756abb361e48bbc82</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d7441823-0ef0-44c2-8350-d1456c41847f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f904ea9bc8e2d7ce13a6007183da5957</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e6b7c876-636c-490c-b507-72fa142405c8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>20e2c8c7a98ddd4c16f6e878194c1e78</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c39e7b9f-08bc-4a3a-adec-7c8704385d01"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3d573866620eae070a220be89e113f69</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f79746e0-651d-4559-90f1-cbc0120a32ff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>70c10f8b4dcd01b07be6cfb4df0d3348</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-275ec552-99da-4afd-9bbe-dbd8dd279990"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f7f85d7f628ce62d1d8f7b39d8940472</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9bf46e24-9fe4-4efc-9fa5-72ea44503571"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ba773e1608198cf8337c5902d7930710</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3056cb61-e438-4cbf-ba68-bff7077a5652"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0149b7bd7218aab4e257d28469fddb0d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-63a99629-9927-429a-84ef-0f4e2a3b1367"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>065e63afdfa539727f63af7530b22d2f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ba0d89bb-cef0-4bd7-a4ec-8d28e683e220"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>56c26b175ae23d90244805a6ec347e42</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3ca10b1b-5286-42d3-8d5a-74e658bdfb9b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5bac505fdc202e1c6507ef381a881ed1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-545f8c89-f07a-4273-afe0-ae939c34801e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6e9bedcf80f21171adb951a0d85d2adb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5ba1ef54-b240-4048-81e5-3bf13c725f69"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b1912db011633d98bc40ac568a4167a7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3a423788-f71e-484c-abed-7c00670bfdba"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4e1a92036a577a87a6fa36168d192c4b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-881822be-3dc1-403a-af0e-07376032fa5f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>831a67dc75e2d4505180888747bc8ea9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-404e40f9-107a-4dad-8dc2-0dc64f141b24"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>668b92feb7cbcc7ac75ff97dcec28d10</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5819d156-9b7a-4d9c-a67c-d6290182d27c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>57cbf78c226265cc1e61ad86779bf906</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6def3e89-8836-4a8c-ba46-2285da79863f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2156942db0293565c9420c1e254a2c32</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5261246b-3eb6-4516-9681-7d5b0c1ce8f9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cd677f9ede43b4b86b421db249c0e020</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-38c036dd-c7e8-4035-b29e-00af763e2ae6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>22aa55134d621672e93c6de928c8b122</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b52a9718-e8e5-4cb0-a837-a37289ea5d9f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec82a53f44511ac09e916bde02cddef0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cef3482b-70b5-4d5b-a9f2-6a42fc5b975f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2762fb36161086f7ef3f33232aa790dc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb22d9c5-efa2-452a-baee-0cf6faf0dcce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fc9d20d555a88fc827f3a2bfec4dfa36</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8ca56c7a-0b17-4be8-8848-8eba311bc883"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ca68ccc887cfe5d2194f6a4d3101ae66</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c3852e5f-f117-4b98-b404-f3df59bf70eb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4aa61b2c1e376b0cc10c877b22bd9aec</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e24a0c6b-e6bd-4d4a-807e-ed444756f35e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7d0efb2480834a6a80210b7342d51154</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d93d3e6b-8e75-4066-ad27-4ab3c8ddc366"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b743f6af7e307221ba425d6023ebe42c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-04d2b17b-0de9-4e52-be72-0370587a1e10"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>86a906db5686bbf487689937d15bf71a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b316fe53-7c0d-4ce4-b425-6595d5ab17c7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dc373f011e86d5528ca4824bb287c406</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1ad0f0bd-5b9c-483a-ae66-08106e1403af"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8f4863b4dfb52d8362c031d3720a6d97</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-326ffec2-dc36-4878-b9e2-5e9e84386b57"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>abe6ab89f957f6edf8f41b5ad198e5e6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-96e47165-509c-49a0-ae31-14a52698d1d9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9f11bc08af048c5c3a110e567082fe0b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5a178b25-59fd-4177-8f57-48f7d497d24a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1aea4d24f3bd2c51288ad643fc66e0d2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-23042542-a9a7-4aeb-b961-fd30b9f087da"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3fc26910f9c31bd9ba3ccb09132d9ca3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f2cf480-7862-4df6-a1b8-a7dfb8e52da5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c3e5603a38e700274d1ab30ce93d08b9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-359593a1-2f92-4e19-9ae6-baa0029e6398"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3f8682ab074a097ebbaadbf26dfff560</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-add1cad1-09f7-4557-bd37-30fc1b8c7d8a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1b7eed9d2438b494197e95fe57114f9b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e91938e3-5fd9-4db3-8168-799fa6f2d1ba"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0ff48a336655869a74611236e6e2d249</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2bb6ca2f-11a8-43c8-81a6-76b822424088"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0d678350f05b274844da5d79fee75324</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e01a57c5-4648-42a0-a93d-c9371a880da2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e55f7d80d99b6aacb0c8d9ed46856d25</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-85d70fe6-c617-4e6b-a322-52c61fdb9fe5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>91deceb64c795927c6ea07f695f67334</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e86f7f6d-382c-413c-ad3c-d788d6c3def4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f113e1c754679164b0e137449b7631cc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c671e8b1-5cb9-47dc-b5b4-70605a357be5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c30c7fa2eb06fc8c9ebbe955abe26edd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4cb4ee77-cc29-4f5c-bcb1-ea831ba89413"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8e1ec7e556b8c6612b6c34e310c50b66</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-359b1769-35f5-44fe-93fb-88cb8524a50e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ab208f0b517ba9850f1551c9555b5313</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0026de5f-5b36-4f6e-9930-1ec7ebede534"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0ff20d023d6b54661d66fb3ce09afe3c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-398ba8ea-cf1c-4598-a1f6-6780370d5ceb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e6ed3ee47bce9946e2541332cb34c69</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e60f9259-80ef-4ec7-bcff-f9c34a78bdc2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c9172b3e83c782bc930c06b628f31fa5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9132c73d-3ea0-468e-9f23-3cfc63d34e4b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>88c7c50cd4130561d57a1d3b82c5b953</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-19a43f99-f9e5-4186-913b-3250064505c0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>40ee45b1343406b6f7ad6204f1af7693</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d0e4c8ff-6425-4f6d-8d89-40fe33d249dd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>052ec04866e4a67f31845d656531830d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-31c11f44-44bf-47d9-8257-71a9e103c43d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8442ae37b91f279a9f06de4c60b286a3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bc07cc72-4752-43b3-8541-24eb6f9f7653"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1f2eb7b090018d975e6d9b40868c94ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9eb5e05e-70b8-473c-8f59-b52a58b0dda9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>411d770b2939e968c692dbdd3116e179</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6d0d4fc3-a1aa-40b6-bb1a-1815879bc7ea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>62a35021454e17f4a913e577d7ecd22f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-794fa688-9801-4524-bb96-e702aa916617"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec8aa67b05407c01094184c33d2b5a44</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-797c48e1-5c0b-425a-afc2-7f1830c06e1b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c1bd23ece59e36143d80f7eec0e38c52</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-86e1d024-8f84-4e9f-9c1c-5e7decddfaaf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b07322743778b5868475dbe66eedac4f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d2337907-5f47-40a0-b52f-5d764b6dbf49"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9ea3c16194ce354c244c1b74c46cd92e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1098380e-281b-4e66-be75-c614cc97ea40"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3b1b190407b868406c5c155a79f3d146</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-44686d0b-7211-4e71-866a-aa8006fe12d2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fade2270a6c7cb47893ac600a9a0509f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-abf4682a-d32d-4ae8-85be-97ae4e3728f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2479a9a50308cb72fcd5e4e18ef06468</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-54faec0a-b2a7-4ea7-93ff-f3644eb1d8fb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b36168ea438520875c621f5603db003f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-982e8250-4a6a-40c9-9264-324a62f3f41d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0df42947e167cd006b176d305c08d57e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c20a79fe-4ccd-410a-ad6f-0aa6e7339a08"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9ecf9d5d8872fe55ab120265c3749ffc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-541ffaec-8c22-4e82-9446-24b49d3599ce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6461ea41f179e660c40ed65aee1a4a2d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e4b6646-b454-4d33-be79-03246949326a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2244c60f4c1dc285c259f3ac5bf88ff8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-06d294e5-8e21-4987-a717-c078fef58614"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>82390e18379710df84d48881a1c1d0ed</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d70f3afa-092f-4198-a97c-e60eeaa920e9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1809c3cc93332d7bc0799238519a2938</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-da7098e0-928c-47ad-acdf-a5e0b31a2b9e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>35008d12dfa47447112495f430e4aefe</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d53a3508-d5bb-4210-bbc0-3a0189d4b976"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e4a9b8993e55e3d0ba355b13d1f27a2e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-63dbd09a-2167-4f2c-a4eb-a59a5eb42fb1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a9993969be3ea340d420eea5868c0d1d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-23372f15-d5d9-484a-a8b5-48f8a71cae9a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c110f08399c5dca64d7dc4539eb82083</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d347c5aa-8573-45e9-b317-4cd48fb33309"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cb3a9d7505be48019e242fbccc7e5f6b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb6a7d86-ccdc-49ad-a300-233466090cb3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>46a86e3c12d5025aa78c7ddf46717c38</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ea1dc10-cf21-4bc9-9936-517e0372a2e9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>52cb7fed85bd7ff6797fbc70105a09fe</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0eacc6b9-d3db-4732-bdea-c00c11c89584"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>80bca9f272152280a462f84f1588c0cc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fc004b7b-ba76-4764-9f3d-d3aaa1b51487"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>693f711d8fab66a3efca98a19a733d56</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-77baa40c-7ddb-4101-9b7b-46fd979b1a8f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5fa50476240c9c59cb72b345751434ce</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4ef42795-799a-4a7b-aef5-8b942034c6c6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>522d32a505f78f09303e689999a3e461</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-48a2a6d8-1393-4c20-be66-15b03dd4ca94"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>497f07f54a4c29fe3be1a15f4516e32d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3711ab1f-5879-4e86-8796-0226d7e9523e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5e33a9835bced338cb1959c347ac6798</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e8570a77-faaa-4422-a627-30707bf45c36"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b3defdbd173738d44137f88a571647e1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-54c18359-178d-4321-9479-b5037e24cc53"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6faa4740f99408d4d2dddd0b09bbdefd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-35fa316a-2915-4435-aaeb-65717957bd6f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d9fbf759f527af373e34673dc3aca462</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e2529c8-c4c7-4a1e-86d7-630842f293b1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bfcae0468de0c7bcf92e9989589082f1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8dd5d3da-e922-4e58-83f5-66116f9d0551"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>456d298649a7ec31a7250ed9312ebbaf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-31d84c6d-d613-42e9-b1a6-72e6aaa78e94"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>da5ff7927d608d7ccc7495939d457bd3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5ea82b0-a991-4bc1-a2bf-061887d35b35"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9548e5ed4fbacd0ed4a9d6a27f5d8fec</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9bd9ac90-53d3-437f-910c-af0e0b1e1ec5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f3b54c188185ee0921848b3a6ad4751e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-de49ae7e-db99-49ac-843d-4ec54d875b82"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cfc6112254a69030521d0d2bba152d4d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4599bf78-645b-468f-96cd-5822961ae9aa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b7dba6184f07b1e824362a2307d91ae2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2f723b94-d7a1-469a-b792-21a110150d8c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a360b16c19ab9dea6763f777257c5f38</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1afa4b6c-0cbe-4a7a-93df-d33eac738ee7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3d0c1dc5ac55f6d0e6b7fabfeb5158f5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-116d1a83-dfba-4e64-8c7b-c9048baa50f1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ae2dadd85cd97452bb26b2c901d0890</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ff86f5e-3538-41c6-93e2-c3aa0760592a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ce4605e771a04e375e0d1083f183e8e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ddefd762-9036-479f-bfe9-d9c5fb85f982"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>56de2854ef64d869b5df7af5e4effe3e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1deaf030-e074-4e3a-a788-45ae75a6e669"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>225e33508861984dd2a774760bfdfc52</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-51e62682-fd26-4ba9-8882-7585c5a8c359"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c2fa9f567fd34fb14fee6a38b6644ff9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9873610d-551a-418d-855e-7710fcd64e3e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ad8cde8841208ff226e04e8514dc699c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3d56b7e9-ff8f-4318-aded-27ed8a7e763e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>29c691978af80dc23c4df96b5f6076bb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-54fbc385-ac96-45ca-9024-236bfc4945a7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0285bd1fbdd70fd5165260a490564ac8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-759928a9-9c42-4538-a7cd-172fcef91c1f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>034374db2d35cf9da6558f54cec8a455</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f6b20d5f-888e-4b43-9cbd-605cc65d6f62"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>04e83832146034f9797d2e8145413daa</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1c9fb5fb-99d1-4f4b-ada3-11057790d1e8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>04f481d6710ac5d68d0eacac2600a041</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-11eda4af-d518-4728-aeb9-486c7cd2fedf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0501bb10d646b29cab7d17a8407010d9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-26941fc7-5dd5-4e01-93df-4e51e0e2f04f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>05552a77620933dd80f1e176736f8fe7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aca6b530-4ad9-4d02-818e-9f6e64f6459b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>05cc052686fbdf25fb610c1fe120195f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8f9ef431-47f8-4c5b-a25e-20ea93fa1d64"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c94e22e285422ac541cfabebc9db1a5f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-89fc07df-7c17-4c79-a831-f297fb1e2a87"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>df5c89d49ef8997c9b5abd8f808298c8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2e81bf63-45b0-4c8d-9ec9-f169a087a0ca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>494fca685834f3158d133f6b09cbb507</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8eb1230-6797-4cf7-b823-163672a2b370"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f8437e44748d2c3fcf84019766f4e6dc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3dbe6c2-b51d-4207-a311-9e5a955bd833"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a316d5aeca269ca865077e7fff356e7d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a818911e-297b-4324-aa6f-ac21ec319516"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>00f24328b282b28bc39960d55603e380</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a9086d69-1179-4517-b822-eb84b1658942"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>85c4081a97255ac7ca7d0d5554e86ec1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0e7d60c6-e783-466d-8594-57c7b0848074"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5a032c13942a46c5ae015f53d9ce138a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c402b511-6782-40a1-a179-2e72b63c9b82"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3d6fe3928f2f5ce41622f3f958b894a0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-da9072af-52c2-4305-a16c-e0db04c5d054"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea3155748f9788b741b6799691250579</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-12c520fe-2240-4383-9502-338e690862be"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a14e8df8bc55f7459d24fe526f51a16d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5bb7a36f-9773-4ae3-913a-64feb2e8072b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2dd892986b2249b5214639ecc8ac0223</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-694be730-bf53-4f24-ae76-063d44d84eb2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>35b9f05cf70017cc485af87660109dc8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-891409e0-b48b-4378-8135-5f2db3d67cbf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>785003a405bc7a4ebcbb21ddb757bf3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1dd4e157-834b-4f9e-9d33-806646b95a90"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7a2eba5ca6f9b2cec61c5cc55dfca762</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0d8f5c5b-5401-44cb-b795-20965c8e0706"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d20f0fbd001fd30610c3317fd3c6f7c0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-92428cd7-19a5-4cfb-a526-0d04495d950f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>61e0da42d5d084af24d31fbcef4ff409</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a214cabc-6e30-4abb-b8b0-fbc37daf2658"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ab445da3ee4e81a84d644476f669d35c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cd07b272-58ed-4b34-9b23-66c9a6c35410"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>08d7679a9c806a2f7d2be26fe9b425ee</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ba98e853-f69f-44b1-848b-0628b0cc6b02"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>650a6fca433ee243391e4b4c11f09438</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-12b470cd-652e-4a54-8ed3-cdfd2a9627c8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>34cebbb4d35a66a7a7fb1ce857c195c9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-016b517b-d8a2-47d2-926f-1837ca649be1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7be6c90facbfe9ecf470fb27e6673fbc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5d7e66e4-e185-4a2c-a85f-4883e059ba4b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c0a33a1b472a8c16123fd696a5ce5ebb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5fc3446a-a934-4c80-87f6-8005cdd9afaf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cc0b9bf4ea738d63f06bfe411460412b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ba698614-a29d-4fad-9a80-e31494c728ff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8b75bcbff174c25a0161f30758509a44</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-effe17e2-3650-4f8d-84b8-b82bb331cf88"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>89a2802e2f2356ce6a757f833c3ba3ef</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-741d2a1e-37cd-4450-bb15-96513fd642b6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>eb61cedc9793226a66e4611e6ea25d7f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3e5ad28e-5bfa-4bb7-851f-42d14ccea030"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d1a18c7de189170c588e7128ec3f8453</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ba856a40-0074-41c1-819f-3cfbbca29a46"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ae1dda87cc5998de79ecb68527bbd191</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4d84aaf2-0cfa-45b9-9b1b-b1f1ed00221e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>125ebbc6f0c957ee994fcef1431a93f4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a4dfc9ad-d778-4574-ad9d-035765b9510b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e65db662e449cab03a6c1ac51af41360</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f2b6c13d-c933-41fe-b5e0-76b0245b5b59"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2ba0d0083976a5c1e3315413cdcffcd2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9e57ab75-f804-4c5f-bece-fe6d56a8db5e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>30b3b17eab05ecffaa055b5091aa66f9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4d1bdd42-d9ec-459e-8e8f-2a8057b84d5c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>19fc27aeb48b3ce8d00eb2e76dfe2837</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d13b55ac-b75c-4505-a7f2-1b57b56d6b06"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2080f463388aebe6deb7edf11c01f7ff</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-db8fef14-2efd-423f-8189-cc3d2152851c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>531a3b0acd95f55c3a7418d31f741357</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-45a74b7f-786e-4381-9d14-63c1d6c1a84b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f38e76417c0f87322d55062428283e58</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-61279900-2d22-456b-b146-3f5f25c5897e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>caf33d1e15953c0e782846e1709498f6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5e5baf1-f5b5-4c57-9aeb-28ac618ed7ab"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7af399ff99109a9501da73337c0bdf4b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-23508af8-104d-401c-8390-5c241bea9bf4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fa11cb78f53db2d2718d536d4bd20b85</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f42a0f08-4705-4ba4-893c-feee956ba888"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>42462d31a2e5b1e4602a1a4d39abeca9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-52484842-5bfa-4ae6-938f-f34bb535ac70"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>99a39866a657a10949fcb6d634bb30d5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28660aaf-40fc-4d95-b857-377940895049"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d4c7f1f80883412f9796f1270accff50</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-92f22fb9-d3d1-4341-b9f6-a7187f680788"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>65018cd542145a3792ba09985734c12a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-10265b2b-45f8-4173-ba5e-f7d0bfe8d3fa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dc059121677ec7a038589cda28cbcc49</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-74672d8b-dd58-45f9-9aea-6d4c31fb944c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a4143ade719c2222d8602819a3e212ae</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ee50608f-9ab2-40e1-ae16-964c37e970c4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e12ffa5ad676a41754e2cc59e980e57</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5ed1516-1969-4ac2-b5d1-331110658ef2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>420deefd91db5e177b46e4134441a35e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-99e5c689-7f37-4aff-a45f-c617e6b4a066"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>09531f851ef74a7238685fd287a395bd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5bcdeb1-e953-4d4e-a703-608fd6cdff4a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ca6fe7a1315af5afeac2961460a80569</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e04d55cb-4f79-4b61-8325-69996f9062e1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6576c196385407b0f7f4b1b537d88983</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-940679c4-ec10-4eb5-9d21-20b12654b772"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>07fe9f901fb4f14e16fb5d114a92b0fc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-29c98e79-163d-49ff-bbcb-3158835d45b6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>08084604344b5ed11c2612795b2d3608</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c282d42f-e81b-48cd-85fd-111d8a0a3099"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>09d372e4259980ac95fdadf1846578d9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bdf28114-09ec-4b88-99e6-26a7e199b3f3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d802a0c3e0c3dcac43877bd488f2b042</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3c38aa4c-e87a-4e2b-8a35-c6e78ffec8e7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a17bb80ae02c8b003cf69222fa13f506</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3f462f7c-f56e-46fb-b242-9ae949f66a6a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>45aa4177bb42eb3ded5edf397a4aaded</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d61d7c99-eec5-485a-be51-bd82a6991134"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0b680e7bd5c0501d5dd73164122a7faf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-824b99b0-6b88-419a-89ec-e218123bfcb4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>edb4faeee6542572aff2ec1b6affbd28</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3c65469b-0378-4e57-b6d5-a43eec2c7b69"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2640cb47de607a8276c26e8a27f1150b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fd76a869-3acd-4e5e-a4b9-26cead229768"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea7309fa59e9347a0715f164edf6b200</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5981123c-be20-4852-bd80-53887bd6e1d0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>02a2d148faba3b6310e7ba81eb62739d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b3ba2153-dd85-498f-84cb-fce518db3d76"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>37df1896ba54e85ef549ccc1a88d34ab</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-01c0595d-90ae-4973-b1bb-f7a5bf4cc987"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2af105519133baaee57c9ade00543de2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-72e103af-aa68-4a48-8deb-d7982a113a2e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0ca6e2ad69826c8e3287fc8576112814</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d1b2d48b-66f3-45ce-bf59-8ff8dfee1aa5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0cf8259502d178a099ab2852e2bddbe1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ddff18bd-d45c-4066-a5e6-ee509c1f8ae4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2a214ce037f5f6bb01ddc453f0265d92</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1ba25759-0637-4361-a2e6-e00f96108434"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0e84132e5ad04351b644b8d8743fc4d3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-15ec4e35-97de-4317-80ca-e29ab5690ea0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8412a3e37499f8289faf54546824ab61</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c65de21f-c921-4ad6-8543-672db0ee4ad7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0fed203f3df6a82c9124f24aa3d9d75d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cdc07416-dda9-4ee6-961d-eb395d8aa546"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>106338ad223b84fbc2528a55e3e22302</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ee7ba12a-de8b-4acb-a11c-f594d78a4a34"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>10a38dd9598cc31efe664cfaa8f37bf1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b8771f22-f1d2-4463-ae74-88d73877ef19"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>10bb5a8ae053e335fe047cf38db95452</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5f09ac4-1660-4b6f-8937-33777c039842"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>11d350127ff1e9ecd665c34326475584</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d01ff7bb-1c9d-4f2d-a2e3-93a2ae7c74a8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>11dbecc954bf8a89d59407a992889cfd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-104d1ce8-162c-455b-9b95-c9f6018ea13e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1224527e295380dce1ac9953c850ce97</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ccd58757-ad49-4dc4-b512-11eca443e3be"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>129c6cd9d2aa895cf6fa137fa1d3a188</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-138cc173-f5bb-4c34-afae-990053f4cffd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>12a410d82a1fc9a8c18b350872e0d465</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-db75116b-1bf3-413e-a21c-ccf4688b7ff5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>12f25ce81596aeb19e75cc7ef08f3a38</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1bdaae9c-3cb8-4e09-a694-f3afa52df863"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>13f0b56c28995e4efc8da784ad862853</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6b1dc651-19bc-4ad1-9e1b-74c5ce9cbc98"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4227f2872817cfc74d134ee9f3d06d14</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-83e1f85b-23fd-425e-93d9-bbc2c37c400e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>753ec12f61c2f7c9a5763c9063a16106</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-93bf23a9-e338-4ecf-8388-06126c4d3cd8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>62bee50b480f6a6aa427a00464baf376</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aa6dea2a-9056-479f-88ef-b0a3cbeaa455"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec3a2197ca6b63ee1454d99a6ae145ab</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a0ce12a-e900-4c4d-99d6-4b122731c360"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>268eef019bf65b2987e945afaf29643f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df910c86-06cf-44ea-8185-8c0c96e81f8b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6e442c5ef460bee4c9457c6bf7a132d6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-abb7dbc2-f22e-4952-acf5-618febc53f4f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a40e20ff8b991308f508239625f275d8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-30af6eea-cea6-4f14-b744-bf9a8f703f1a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bcbdef1678049378be04719ed29078d2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a372d9ff-4aaf-41d1-ba44-c6d033f505da"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4749f6336eb86b5fa7029661f88ded20</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bce74167-9b44-4df0-a39f-3a3c7277e83e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f2693de8b687c20aca98bfc1c5aa5b38</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cabd44e6-983a-4bca-a6fa-4c61fa033bdb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1fff3f96f53c5bbdd39eb2351f12549d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0193b5d9-b3bc-4900-a590-862b975a239f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9c03ab63a45d29aee90b72ae89f2f613</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6879a73c-c49b-4413-892c-499134f0114d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f7c63592ffb87b81ce45c89d207e9403</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d85d6ef0-4773-43a3-8e85-0216654f565f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>adb62105427567ddc11124fc27921c40</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-502db973-1af6-4bbb-a851-466c92105d2c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3a3e4bca1197e4abab03340ea97d718d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8be65eaf-2d7c-4e62-9bfa-17d9fd775ee8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea34b72cbeb07aaac2398704c3ca6b0f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4c462c80-0f77-4007-8f2d-a1f78c2afc81"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f0d2ad2002557a86ecc780bf938b6dfd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-563bf0ce-e0ee-4340-b484-33ddf3f83eb5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>56a5d0575c0c712deb16f465ac888a65</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-746cc7d0-76e2-43c5-ae3d-ff6620621228"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f445b22897a27ac5852ee19589bea8c2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6b11ff12-d96c-4ae8-a2be-9fb5c59fa698"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>57f98d16ac439a11012860f88db21831</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f0677089-a8c4-467c-bfb5-5b3b07babdd2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a2cd1189860b9ba214421aab86ecbc8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-477c3d89-6041-4b2e-997d-f61a4a31c005"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>effa99ea879e5be518f242d5820be070</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c41366a8-2659-4319-bc47-09b215b7e8a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bdc5e16aec2c3796fb879a5c260d6ca9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6b875024-ebe6-4ea9-8708-2ed280651413"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7704ad9e8e0e3d75075e4c294f698d53</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b4dcbe3f-63e6-42d5-b10e-3f2f3c999e8a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bf80dbf969b73790253f683cd723fd71</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-976581b3-2c09-4da6-86cf-1b5546901bd6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5a728cb9ce56763dccb32b5298d0f050</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aa4a91e8-493d-4b0c-9c99-af4ef5336a8f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8c6ece2ade2bfad3171c925baa64af50</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9215163-4611-4905-9288-4f7d732d3f55"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e24e889e826df04f552e0d133548b693</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a4195997-7509-4b3f-b824-1d650217b5d2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>76bf44d7734ec8581e846a9f3005aed4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb93c805-8268-467a-b4a2-64f40dfc1e23"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>839c8c06c4d81f523078b0d45d8250ff</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-671043a6-7b1f-414f-983e-03352d8f30e0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b3848edbabfbce246a9faf5466e743bf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cd95c08b-d8bd-4889-b4f5-b189aa7fb825"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9206ae65b685dc7ea1cf1ec02606de6c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a6c4ff07-6162-431c-ab3f-be5f8bab5c8c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c116f5f89e24c7de3ea9cae83b7fc829</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e944fb78-bb15-4294-9480-17256f077d78"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>abff707cb54a6e5a9fcbb3fef74dbddc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-64fdc9f8-7608-42db-9087-621fee4f55d0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2b732257d8d9f09560fdcb7d84d430ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9ef95b84-db32-4ede-9140-656d6fb14e29"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d41c6005a75a6d28480d63f540d36c70</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dda930ae-86cf-4a57-85c3-2d7020e3fb9b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>41bb847963a8fce70ad21e70dd786107</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-851205be-9d18-44dc-8873-d3852894368d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6ebbfa603aa4e90148ad0b726806c359</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2625b006-e1bd-4f59-902e-9b9a9012424e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9e30b1665077b7e65bc8ff1e7c752306</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-15a688c1-a8f7-4656-9d3d-e7b7a677e85d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0fbdc6e3f79063a4773d4872fa1f15d1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f2bfc2f7-7b56-496e-9d9e-b33a5eb0e257"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>eef80511aa490b2168ed4c9fa5eafef0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5552cf1b-0cb8-486e-9f40-3ab0205d45eb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c53332a5bf112f03ed22b06d85140626</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-011db5d9-e228-43d5-ae55-bc81bf98311c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7cb055ac3acbf53e07e20b65ec9126a1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2d52025c-6954-41ac-8350-aa7574771ccc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d74b169e98dd16d0f3af0dc770dffac0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2f375642-db88-42fc-8394-00f58e27aa90"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>71173ad2bc7b39342b1bdaadeaaa0d8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5c8c285-db9b-43c3-bcdb-44030d13e7bb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>55bd26326db3d512b6bd9f75d6671819</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aee33872-838c-48a9-9a65-87ea320d3ba0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4e3ddb5c27e45ee0e6dcc02e87b0abb5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1dd90fa1-59f7-4561-a9a3-7cc8653488ee"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b0d4fbcc0c65c7d5ef7e1c4309c719cb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a628575-8096-4a5c-bfce-ab3e3f6bff20"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e4be1e46775081b1d5405b3dd7dd1c64</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ecc5e067-1ae0-413c-82f0-1a2faf521d06"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ba0c4d3dbf07d407211b5828405a9b91</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3f36b356-9c91-43aa-b829-96aa877064af"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8e8622c393d7e832d39e620ead5d3b49</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-58ae957b-fd63-4a25-912d-a8c1de6b6da8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>18e5ef23b634344321b2b3f5fa80a598</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-107c4f67-380f-4346-8cff-12ff38beff29"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4d21cc82e4031e1d6bb15541827b9e67</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b90b833-c8d7-4ac5-bf2d-8f8c1e9e6393"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ff085d421518772ce2df75282363279f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2153595f-b315-4b51-b5f9-362545a09116"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fae6eaf695af058af4b8dfee0709bf51</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fa8b9841-e5a7-4a62-b963-cd2a010423c4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2c78d8bb5912d8174042f81197d9b449</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a91a6c5d-2f12-439c-a4ca-7a815a8af6f4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>28e64dfeab48030bc532ae4ace2c9e4c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9f90a5ae-3d83-412a-926f-9e6286f39ada"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>47e7f92419eb4b98ff4124c3ca11b738</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7d0cf1f1-d405-4899-8d4c-eedb4294619c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fe8ff84a23feb673a59d8571575fee0b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-235f4d5f-ac14-43bd-b339-2c10a1cba74c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1b36190794516da078decaff881d9864</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-406bf6b6-5f28-4a0b-9d53-7965c71e90aa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cc17fe9f2d254ad28d050bf5c1df983d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2856378e-1bc8-4803-8f38-d0a71c514b8a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dbdd2a9c86e71ba0c9953ff4f89cc25b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2e71e0ab-9698-4ea2-af45-3298d113d4ee"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>77382bb7fd431211b32d84d4de74b043</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad323f66-7ce8-4e19-8be7-0512f116d904"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d751c7f7d2eab52c43ab31312e229307</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3f38876-8b2e-41f4-ad4a-a888d8765396"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c2a79bb15a31fd6584d9bf0891673d14</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-232f108f-4dd7-4125-a359-42b8211bda79"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>33d974011c4b047bf9874a71ba261a11</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0e1c72b5-3b5f-413a-a09f-8b10c427da94"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a28ee614e3d783a7561cf8a5a469959f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f8bf4f08-aa74-401c-b7cd-64258bcf842a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cd2102c5db1ed828a9c196448c40af3e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e3c8c1c0-41f6-4e16-b84a-20d5a3704c68"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a039a61e4c274811b0388aa517d29fbb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-67832c9b-400f-4ef7-a937-c095bf005930"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f4f8067d501bfef385274912d2a833b5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ec09392d-30ec-499a-8d51-3740c3bb8977"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>351afebaf03ef12e6ad1b412612d0c53</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-995c2b05-2ff3-4d72-9191-468685bc4083"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fab7c555a511f4d4e318817455bbb75a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3bf8ddd5-ea93-4583-8315-6e7f541c0f25"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c7b48b6965642b504f6f36933762df8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e1a3765f-07f0-452a-8c85-2a8f695d233e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>da383cc098a5ea8fbb87643611e4bfb6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4c582b32-dd15-4846-bfd0-10849ea84b96"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>76f6c7301dbf0219eae991d65804292a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8eaf6266-a888-44aa-8e99-2a5996800de6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>15901ddbccc5e9e0579fc5b42f754fe8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-64d6efd1-9d30-43e5-b19d-5a566fe24e33"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9d8a7970be7826d29732817c0cc84bde</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ea553c08-c6b6-44d5-bc56-551272a5f02d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>acb99e5318f7001298df1aef51a9463e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b30a0d82-77ba-402d-b7ee-57bf5fcd3210"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>da60673b4f2a4660d2734a16a832282f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2340c5fe-d2a9-4f76-9e7c-6e311434ecd1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ca3ca9ec20474d07fc798f2b41e2625</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-742493b6-9811-45db-98af-ec037cb8bec8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1fb4ce2e56ced51ddf1edff8ed15c21b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-266ccf83-4261-4cd1-94b2-c708e3cde982"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2198fea94bb79b001fcfd3e03b269001</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-43394133-3171-4225-bf3f-4e54f5aa09cc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bf0ee4367ea32f8e3b911c304258e439</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a6782aed-077b-46c2-b353-b0bdac060e1c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>966db6a32ccf7e57394706abc3999189</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5df9e4a-240a-4167-afcf-77904047b580"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6846ad52c9208830ceaf4cfd81402015</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d594ae76-2ea7-4e97-9c12-6c6fec436714"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c8d2b7f92fff545b3b19e9b1e1057071</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-988e9f00-1ca2-46dc-827b-c941b7b064c7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6e8f302794cfaae731840e345063e652</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-22f5e5ee-a879-418c-8a93-68431d0820be"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ef349196b0ffef5a02d30413c8dffc7c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-23aa48b5-3860-4878-a577-e999f54db61b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>80856bd8ef7d5dbc3dc774f581855549</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-22b46407-6ff7-48e0-8fec-36198765d91c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f65eee78ac150924cd37c7f1f3c96518</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0dcfeba9-56b4-42ac-bc6e-9afe16141c14"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>76ba06bac23a2c445cb982bf38b82199</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b815e8d1-0ee2-4487-9c10-b5fd3790901c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0829207a8400e2814990f79fbdfe7f4d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4cc76b8d-04e8-4b1a-9e6e-ef766724ffab"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e22f2e9ee73ab8b12ee5069f7e39a615</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b2e338dc-bbb1-44ed-9e59-2731e237986f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7aef47f9fd84669976c4b152910a6328</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1ef89454-374e-412c-b0a7-6a6fda1c28d1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7ab86c938b960dfc0c4ffbadd4163666</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e5f8c37b-65b1-4de2-aeed-149c90738052"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2fccaa39533de02490b1c6395878dd79</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c17777c-cf7c-47da-ae7f-7a68a33a3b52"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b3bc979d8de3be09728c5de1a0297c4b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c39109a7-484f-4e82-9ee6-54407551d4dc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>270d42f292105951ee81e4085ea45054</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d29a1aa7-d719-4494-8ccf-fd52ae9a6bce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bebbbc50a561681f48d174d6b7c2824e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-67f0c320-9f3b-4db4-a480-97284a4f3697"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d52f35c4c9dbda4c94164291df8a2724</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7d01965d-d4fa-41a6-a085-93c853927b70"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5c4806b5859b35a3df03763e9c7ecbf6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b6679020-8901-43e3-8178-444bc67df5c3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5e17055c51724b0b89ff036d02f5208a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-adc011ca-4091-43a8-8f9d-f7de0a482878"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ad3cccbe9ddff04b670d353b938f5da9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1864f777-bdb1-4fb8-bc4d-7c02e6b05c40"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>88b5f635ac9031bcdeda1f751952f966</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bbfaa6be-5d52-4e50-921c-6cf6ba19feea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5aeaa53340a281074fcb539967438e3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7320ff60-0357-4ec4-8039-12a6c15ef11f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7bfeb0eaa1c51513e60bc0abafb1be9f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1237a856-97ed-4f3a-8247-66021139e0ce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c044715c2626ab515f6c85a21c47c7dd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ac58fd01-8142-45a5-9e80-7193362ea4c0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>07c4032f24ae44614676fbdfe539afe0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6e58b715-3ccb-439c-b52d-3e05e9628add"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>341f5e7215826d07ada1ed2b96264c0d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-01e68200-32c9-4ede-ab08-dadb78622d43"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7c82cd17b0fa420f09f97e060621ed7b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c6a2a34d-c377-432b-ba6a-17c24b8fba9e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>39e28f48c138dc156d1436fd02222e45</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8f9353f9-5455-49a8-a2c8-ab82fb50e13a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e65c0b3f4dd2f3c9f728077ed1e48f7e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9f49549-e2d5-4a57-9cee-31dc460c6d61"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>91f538c08b9dee1bb0c6b6c82f727c5d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-39bcba25-04ef-4085-8f25-7fa4fb851af4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9e511dc5ad8a884f4416e68c54f742e1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5069f8e-f98f-4023-a8fd-c9f8e22ecce0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>55f60194833efcbc8ac16bd0a1cced1a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-075f433d-0494-43ba-b728-988d8258f8c9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c763e041c8e85c195ade90e120338be7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6a2bd203-34ac-44b4-afd9-1a36b3ccecf6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6fdec862951e8b128cd7a07b2031eef6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a7bc9f0d-56cb-4563-bc1b-e140e602cf72"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>471005f73280264c48f769e1c21fbcc1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d99875e3-2e4f-4cd0-87a1-b9c01bffb319"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2fae9efa753d3d821e1efdbc1335b966</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d6d97470-7ba3-45d1-a47d-cec22a5e7127"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>435991e0c67f0c0b4504355b6d4493f0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-abba48fe-9d40-44b2-9c45-f104a23aad96"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8913ac72cdb8afd98bd8446896e1595a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c2d0406-23b4-4e7c-aac5-2005bbf24476"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7253de652a025b2b4fa7b02e97a1ee6b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0af3a04c-ec24-477d-a66c-bb4294c8c04c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9df30198f52b16925db1e3da61cfc754</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c289bfec-8828-4e95-8ab8-76826afbd6a5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d776379bda9fdf695d6a54db8a5b4c72</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-86212698-a237-41d2-8f60-4c2dcf0b5504"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a70aaf335f7f1a04c7fe194602b11c14</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fcdccb0a-c867-4f14-ba94-c1a2e21da423"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ba10b9486043f76bb9e9a160bc1d2576</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3ceeb576-730b-46c7-978d-a14c53d8eecf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>648ce1c45927b24563dd8361a1b74311</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e38947bf-8ad0-46eb-902e-6bba805eb1c4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>177e0270f25a901c216ffb2e7a36e5b1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e1d4b562-5eed-4bbc-a46e-5f8601b707d5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3441cbdf8de9472c19b021b241429b22</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aa61b320-9f15-44db-b258-50c70b1dc9be"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3120fc8630c5252002f26f6e11b09eca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4b47e6a7-8ea3-4dd6-b2cb-ae81bc1b34be"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a6725f263daf3e94adc3668751b909d0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ff7ba23f-cbbd-4cb2-b38a-69d537149ede"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ce003a75c85627cbc7e6eb39beff0722</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f256b4cc-da34-47fd-ac26-0a9ea37beeb8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cb15768a3e5c86d22289dcefec56d8a2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e3102e66-7434-42b0-a0c7-a885c0d0c776"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8bf9698c18b2aa23f71444af2571a6ad</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-59f243bc-817f-4d2b-9ca6-c3720e6cd19d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2acfc925e66e1b820a67c4d0f3e6ae8c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-60ebd784-a5d9-4a07-99ca-8c6cfa5cae49"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0c28ad34f90950bc784339ec9f50d288</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d845fd40-b501-4abd-bd5f-8f5489b967fb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>56dff5cdfee293100b59096326fb0daf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6d5a329b-8eb4-4f9d-9a50-3c9daaa1f6dc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4ad4258b73430fc3e843a2e59d8ee70a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-57874f70-3316-4391-a138-6670cd7199ff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>51ce169debea41314f591290839fd55f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c938702-2897-471a-8dcf-bbcba461ddf5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>62c72767508e461cfe94b0c706e6d446</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0873a202-81e5-4558-98fb-2135116c11de"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>88dbcc682635b4013bcba5ad28bb976b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9e94bd8-3f1b-4fb5-a872-b0b941450091"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>876ee736ebad6917a259456fc3a2f11b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ae13ea96-242a-4257-8b2b-29246951cbeb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>24fefb8b9338e2300308260be19bbaab</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e53f6059-c079-4fb2-a032-aab87404f472"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>769aeae232c6162cedcb6c7255640c4c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-21f21534-d37e-4309-a349-500e5e3b3e76"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>68af7be698e8a7408451c158c04a9712</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-013bfa26-7131-483c-a482-bd7ba4c3f2b2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bcdf8cb0868daaec3ba6176e3e7d3cfc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e3453288-e183-4442-a1ea-9c9fbda12df0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5ba1ed651231be5e7eb9d7b92fe96d64</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-79c61b66-082d-4d30-bafd-3f158fd79bc1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8462a62f13f92c34e4b89a7d13a185ad</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8b27ec1c-e84a-4154-9e8c-83db21293eff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>580a4c05982accc678a72c366b45815d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-482d80c8-9f63-41c6-a77e-58022b4d72ce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9a66fa24268d158341d497feecbed889</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9f2c97a-d563-46fb-936e-3c7a60afa8c6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e43040ede0645a38ea5a35c26192126f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c44845ef-f727-4e3d-8c4c-0912bc197dc8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>db05df0498b59b42a8e493cf3c10c578</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-09c111ba-6d61-478c-bcc1-35895d0f8f55"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>898a8a43c8708961094944fb42c278ab</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bf6662c5-dd5b-4fb0-acfc-b802a2625843"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f1db65d3c48ad5a9d1576aefdca036d1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9c1844f-52a9-4c31-b146-36a412efa812"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cc3a9a7b026bfe0e55ff219fd6aa7d94</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9ca96c25-f428-4e0b-821a-b79f96cfef31"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>649d54bc9eef5a60a4b9d8b889fee139</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c126c3b-10de-41e8-8771-e19dd5e08216"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e69945e5865ccc861f69b24bc1166b6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9a35ae88-657f-4d17-a3b4-24ab2c431b9f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e3e6fe1a8c6ffc00a9c644997a4f7a1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5b8426d-d3dc-4472-af8b-5de756754fb9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>51326bf40da5a5357a143dd9a6e6a11c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9453a5ae-4a32-49a2-a126-f02a2f199d86"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bd8b082b7711bc980252f988bb0ca936</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a46890cd-0547-4896-91f2-9be7c932c03e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>73a63c21a08b0ad2c69999e448f8e6a1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b1cc9530-8f56-45bb-b946-33996df735e0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9d1d58e370bea4b5e79a1f914516cbc0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e70825c8-f40f-4074-8eab-706528fb57a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7d3140bd028f70f1fa865364b69c5999</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8cca6a84-4be2-4990-ae4b-3d8c799712b1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ede2c69d50e0efbe23f758d902216e0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dd1e0af7-97b2-48ec-b096-1da579987940"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>98cf219830733fb98fd2a957b7c4b163</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-66fc18f1-5bb3-4b0b-8e16-0d6634567a91"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d60ee4a39667a733c075bb7f7b36285a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a11449dd-8dea-4997-88a5-57a7815eaec1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>277f95bff2e0fe317f86b5010bd83a18</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad056220-959c-43a3-9e13-e0069d60e741"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dba356a4726b94731e6ea97aa73cfc3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f92259e5-740f-4ba5-9f34-a2bfbc25b38a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6fbf667e82c1477c4ce635b57b83bfa0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-deb9172e-0195-4900-a952-251a5982fe10"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0141955eb5b90ce25b506757ce151275</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-60d71b38-1bb4-40e8-8a09-7a3325e5f6d3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>67f62f5accfeacf5e828c3b3905248fe</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-543b862d-20a0-4ddd-bf50-730d14794a17"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1fad25d4fef631f8ec3115e0944e4621</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3a9e4b9f-ac93-4bf2-ba34-86c09270c779"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3c4066b252722c873348d43b4c3ec0e5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dfd4c462-94cc-457d-b93d-51284a42f00f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e0fc0fae758d7c6091cdb11d5ef98e0e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-547535a3-8d8e-4a5a-826c-978f86c38abc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4111fbc14558385c10091543c439264a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a6e0eae-26e3-49fd-8612-208bf903c3f1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>98409dbf432419024dbf028c004344c1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c39ab5e4-4523-4190-8b6f-61644a226259"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>56892b0befe8b7a188fdb7e72a07e60f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-54c1ce11-02ee-40ca-8c76-5f1e06a97ec5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7e8d1f26679a88268e273ab498e597f4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7acdc274-2791-435b-b0c3-e969c6afadbd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d9c4ebd61c1aee52b3597aae048a592f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f0509b94-ea0a-42c2-9a43-f02a27d87364"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a8b183fe32ad8d426e20227f3c8b7592</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1a30f225-911a-4acf-ac17-57a8182f53a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5cd7526fc7d849cbbf8c9d1ffe97a991</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b4e62d91-92e2-4f51-a8ce-57e666f88222"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e6ff0431a9a9028808efc582405ea7df</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-90797ae1-4b08-46ae-b910-69fb9d68387d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>255cd53f9bdb6f3755e621885cb34382</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d7e82ff8-5c31-4e30-b498-0743e5c3bf57"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b63452ecd2da62f30923a124bcd41b45</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eb2159d6-c97a-48c5-a72b-5c722dfceba6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7a2692cafec377c444bc3147fc43e57f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c3d02108-1bd0-4004-a837-26cdb2613514"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1f9b32bac55ba4c015181ebf55767752</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0c74c9f2-f4e8-40ef-b3ed-ba334f8d90f5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>71536d2e95420c55412c12dffea1a0a6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b975e54-055e-4898-bab4-924386d95602"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7acb0d1df51706536f33bbdb990041d3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-726d364f-c99b-4b39-99fc-93bf0bfadfaa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2e8484f59899046452392c236460ebb6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8de3ccee-3f41-4792-9fda-4dfe3e8b60b9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6040dd5b603483f738be6a02a63538f2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c66736d-98dd-4a9e-9161-0ef06daa1418"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3ea7bf3b469499f0f6d4a78af865138f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e966924-f0e0-492c-aa2e-a3df31a0f6c8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e7f728e3bce0e59c3ba973545a3b3a92</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eb591111-aba4-4daa-941f-d58d55c9d05a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d197c388184fef263b7944a7186bc6db</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e45003a-afa4-445d-87e8-9cf9c4d797b7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5cf0959687427850a92d7f69edd41b86</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a78f87f8-e80d-488f-92e4-61345d003058"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a517ca12e2648b0590a5af565f8346b3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-61322e9d-1845-49dd-8011-36b73a6cc97b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2d57aa4e7f2f4088f1b96313b24c7602</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ac0668a3-2f35-4119-abe1-eb8cbbfe3b44"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8d81eeaeb0bd74a1faab257079452078</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8cbfc21-a3eb-4bde-a685-a0f1e5ea2a5e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea502cd3504e74bac454835bd23e019b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b003b81f-58fa-4d3a-a149-f20a987dbf81"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9f3fbec4341f246aa6131ab01d6e4234</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb1b6053-253e-47f2-af14-bbb5584acee0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d3358ed4001ec0366fa23fe82759df2a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-67831879-a87e-4ed3-b410-af2d3190aad8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>620c6a6cff832e35090487680123f52b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-969f2799-1c38-4a57-b00f-30680ad1474d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5790c7c09735cf1ccf10625c7cd87f5e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b3c89c5b-0588-41a4-9e99-0d223bbe0043"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cb3c5c3f53ecb2cb656fb0f4b8de03f6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eae43782-fdbd-4af9-9483-1cef334fc95f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d262cb8267beb0e218f6d11d6af9052e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9e89610f-6237-42cd-8d4a-ec3239eed773"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dcb90efe7e09d6900242af25aeca7b73</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fdf1edff-ce6f-4481-87d9-a7856db3edf4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>855ca1b45a247754ad91d50827a2e16c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4254f78c-b1a6-4259-9375-0a08b3f6f0d9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>46c36c11238100e155f6d418332869ea</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ae01e667-05df-46d9-9e88-28be9e6f8987"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea47431d832faff7802710dae0abb0d3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b063a250-8baf-4a76-ae59-be117722fe44"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c0134285a276ab933e2a2b9b33b103cd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2ee42f88-4abc-4e9b-be34-8a6a12118312"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5d8129be965fab8115eca34fc84bd7f0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ce82121f-ed9a-4547-a1cd-58dc5aab5d7e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bac2e89bd92ce23e1e93a63d26dea01a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bd7de4ce-a919-4346-9fcd-3913b2a6c704"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ebf8eebe3aa218dea5e3f0b2222267b0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a434183-70dd-45ab-b559-94bbd86da2a1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8c9871a9eb88ffc43507f988b222dc52</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fd0e3b02-30f2-4009-a904-2778f8d4d2d9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f1eea61e49a3f86e95836d1c9f67e074</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1037388b-59f1-4e4d-88de-a48cfde1f528"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e1b6940985a23e5639450f8391820655</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-58794dea-47d1-42ce-a362-54886bd93a06"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a1cb8a9f2b8926afeb254a64f1d78ee3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6b2bd2c6-fe89-41c8-ada0-fe460773cfc8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c4c638750526e28f68d6d71fd1266bdf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8afd245b-da29-4682-bce9-6e559f10398e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>28dbd86bd86eb9153ecb20d883c41ae0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8860ddfb-79c0-443a-a7d6-bb1dde02d8d3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bf0d5aff9c1f33e089c9c85f03c6ba8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a30e7405-19ee-4e22-915c-cd086583820b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>57326cd78a56d26e349bbd4bcc5b9fa2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-39570278-1742-49e8-8621-08c160bd6190"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a8f259bb36e00d124963cfa9b86f502e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e6f22710-6cad-4a43-a4b1-43e5c1e9e4f7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bca9bd0abbb31a422458abf521a6a2fb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-24481fe5-4bd0-4a6b-8ed9-af76d7f951c2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>150c95865766c2dd0562e7bedb6db104</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7f7ae7ac-2648-407f-9a35-ab01e0c60f28"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d4c1bfc5cd3e33643a562696d5d29bf2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-171f1310-70e2-4a89-abb7-97b9ebffbaf1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3fb8f4cdcb4d1d48be2e473fd8727239</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-51717d97-5ea0-4b1c-a587-3b79b830a4ab"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>33de5067a433a6ec5c328067dc18ec37</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a277c190-aa06-43b5-9d91-bec23be44b0a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bcb087f69792b69494a3edad51a842bb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-006bfdc9-b5ec-41fe-8f56-b9da46952db6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4a2320b41a5216c741bf63fce562961a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5dbd6994-6619-4b36-8834-6ab44b492e9a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>59620925bf1c4f760c4bf225c7efd6c0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-01eea5a1-0159-4488-b4a0-9f831145674b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>438983192903f3fecf77500a39459ee6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ae3cf14e-3fdf-4f13-a659-c07ad3e592cf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b2599b3078c28a278a3e7cd8b46304da</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1d91812-c5e5-4ec3-9489-6ebef62dab2e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>543c283d691939d99667e22bcb7be610</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fa7e328c-ebb8-4681-9c53-2fb0e20321de"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c0a494e643c42a89d5bf718ea274df04</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b5fe187-58a5-4897-a335-37f1193ccb8a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>77afced93e20b1bb906796197fa1dd1d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7359cdd0-ab54-46b5-8907-7ca8cd972127"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>da6b0ee7ec735029d1ff4fa863a71de8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-931a94fe-1d78-4a8d-a8cb-4d2c5f869067"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c65617a4eedb8e0369ef8fe58ce20a02</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5f304b83-aa6e-492b-bc4a-f61fe8dce5b9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bdd2ad4c0e1e5667d117810ae9e36c4b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1ba67c3d-c6ef-46ec-b38e-17b031680d47"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b9b3673a721578b230490f7dfc6df21e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d287fcd5-2554-48dc-ba28-e5a5ce9944bd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7ce16b35201d8d35965ec7aeebdc80ff</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-49392184-f0bc-46eb-a73d-242f1eb2a7b1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>36a7c3a6460c98e161e1005c925da0b2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d4805982-be75-4135-8745-0a8ff3f3b6fd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2ef062fa86537db34f5907a9775664a1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8a2e9a48-b639-46f9-95a0-f9555491d464"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ef8e0fb20e7228c7492ccdc59d87c690</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cc7d886a-6029-4024-a9c0-34f4e628e6af"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>15d1330be5e27f6f51d011b0575ffa05</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df53106c-1345-4621-91bf-561c1ba9a1d1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>52509abd1cc7b7fb391b19929e0d99c0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2ec036c0-6d37-4da0-81d1-afa391b08e29"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fc89424a2d33ea5af3f49b02e743773b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-78457191-42df-4f1f-9aa5-86e8dec6c27e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3b0829e2e966dae17d4c235893a3ae8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ef2d888e-970a-4e01-9471-be05f7c65629"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>37e7dc80c1eb618b3cd1b442858afa60</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0d9c5aa6-7fc4-4557-864d-a45e13ac7d9e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b631a3d832f7c22c26554711188f59c3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6a1f12ac-e74a-4c2b-b7f0-dab357718c4a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3c1b2fabb7d74bc5be0820eae4107f8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f231d6b-482d-4ec8-abac-11560a6bd0ec"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fc50743af221ccbff7b7c7ec378117f4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5804edfb-9cff-4f6b-8fb8-958e93e51075"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c6a29993234488fcbdcf45668eac9c47</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-91aa6ab0-4665-4079-991d-8752ee107e2a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a6a583aeaf4952787e15f30d289ca138</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ed289b6f-5ff7-4f8a-bfcf-314c6d622e9f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a38a367d6696ba90b2e778a5a4bf98fd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c438a0fc-bcf9-4ec2-984d-ef45da0754bd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c4188c3bb6982d41aa783c499113a8e3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f1782637-48a1-45b7-b8ee-6e4b18a16d9e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3122fbb558e1a5f32c90eba31f674add</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4afe37a4-f505-4ccb-8c93-ec6b267493c1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>335df3ffb8cee61c20ab91a401204df4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8c062a7f-7bc9-4b73-96f2-3bcb99d7e887"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a2534e9b7e4146368ea3245381830eb0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bc69c00c-3fca-4dc0-9b9e-c4346a190869"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cfe738fcc07b9ece6a11c3390d43b5df</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a4506c4a-d5f1-4ba9-b4e7-1d6a1bc07ef8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8a86df3d382bfd1e4c4165f4cacfdff8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-075e4622-1bd9-41ec-8311-c7b53e3fa0cb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2f930d92dc5ebc9d53ad2a2b451ebf65</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-509b8871-ae2f-4272-b53b-b15ef75ccc69"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b305b543da332a2fcf6e1ce55ed2ea79</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fd65f08c-427d-47de-9de5-7a3b95a03cef"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5bd5a22d42c04db7ac1343a2a9f471fe</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-585179e6-9df5-4056-a530-d0b61828be5c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ba6fee7d4e73752b39a09b1396b69f0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e8473edc-4f1b-4595-bfe6-36baa5f384e7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2bdc196cdac4478ae325c94bab433732</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1eccf7a7-5f43-43c6-a044-7a2081956cba"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dc1cff84900afc9d292b305f9b9aae34</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ae9ca65d-c110-4faf-9838-e4459267bd6d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c3dbd79adfa21706f5451cc68331d31e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f05bd155-ab39-4426-801f-292b8846537f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2a84b88c4a2ce0fb6227f7990f465737</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e19d5499-b305-443f-8d78-48ea3a94e2be"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>37cf3f25895c27ca5e647bbfdc1d5b2d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-192897db-af6b-457b-8ee6-6623e1d67c04"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4f65bc571cdd9c9cd11e771e1db35a4c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-32d59174-8af2-47d0-ad8c-e70b2e0fe98f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>36cd49ad631e99125a3bb2786e405cea</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2b40d825-a824-4c10-be36-79a78aa565ae"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>49bacedcd18f6d8929d43a10dae8645f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-93cabc49-f7ec-49df-a76b-ffa513e60f11"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fefa3638e4d6f2e00b5194ae3fa0c931</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9604e409-31d1-415a-9de8-28ae43b742a6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>df4da15796910690b05e393561b86fa1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8847fb0b-9aba-4566-98b5-ecd0ddac90b2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cca290cd2abe96392378b71e9835ce06</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fbca176e-559e-4f3c-aff4-d0ca1f86fc84"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>97c83d85bd76a38b13cea960a1a97f70</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-40e1893f-d2c4-48be-b82e-86a639cd118b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f6655e39465c2ff5b016980d918ea028</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a4ef845-eb78-40b2-ba62-085dd7aa2ba7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8dc3561ca52bfe40089f3ee0af7fdd9d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ea804d1c-bea8-4cd0-bf18-21803cdc3bea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>73d125f84503bd87f8142cf2ba8ab05e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aa1efaca-16e9-4e11-ac3b-7a76485428e6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>251c817f4144264c3e7a9dac03071daf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4309d7f0-d428-40bf-9ccc-f57bd5ec5c15"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>34ca3fbcaac48498aeff6035b172bf69</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c13a3970-9d13-4076-8051-3c95bc6d4654"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a44312eb63de002383a57b5a93271cdc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-927e6047-70dc-4555-95a8-6bf87d180699"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>24f1b8266f4faf550999581bf0edac83</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5cb7cf7a-6525-4527-98bd-c23d406e8344"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2bd02b41817d227058522cca40acd390</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad2d7118-d7b6-43ab-87f5-e4e5da4998f2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4ab62c8e525bee410cd4b6cfeea7d221</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-316de897-a537-40a5-92d6-c8d39d01e369"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d9b1c95fb4424cf69a0ac8e40b3ab39b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-00954932-3781-4dde-8b56-49b07c138769"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>40831b3799c94b609a91d517d14bea21</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a0fb19d9-ae52-497b-a458-6b813ef0e61c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>37eee514b04167f8e17e2caa3bfd3049</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-84fd5ae0-8950-49d6-9146-0084dcb325b3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ef29229f7b633f634db3a5c49a3f4a1c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f9d600b-a0fb-4365-85e9-cde0ff7a8764"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a354e3c566645100e757f3e43c9b007d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3829e1c-ecec-4417-8d7f-ca2ee9e2340c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6f6abd53e10567d1534514fc36fca2e9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d4c4f19d-f4cf-42f5-b992-afcf265abead"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>de016572ade175d37cfbfabe8174391a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-96156a9a-30f4-4c37-801f-0eeab2b36a1b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>82b065518f085c6ceb0a9135ab51df41</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ecc8b9aa-f0d4-4c20-93b5-b187027bea87"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ca9c1f8d709ed34d388dc7cba2bd7602</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6118837d-342e-4e35-b33d-659cf490bf21"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5613e6d7111b327307c02bec1701ac3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-480c1386-9e4c-46aa-9f1e-a085471ce68f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dd1222f96024ac28179c7508e4193285</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e715daf3-6105-4523-9482-c1a8c5e0f3ef"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f1e5d9bf7705b4dc5be0b8a90b73a863</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5bf8270-d823-4b2c-a4cb-3db5bbc86e60"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>75f37a69664362462ad491741a34f195</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-63198f99-b40b-4b0a-a081-74bdb013b900"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>575836ebb1b8849f04e994e9160370e4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1565b3aa-e4bc-413f-a6fd-124549f717de"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>efc2025431e7ec8f8784fe81389c77cf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fd10f311-93b1-458c-8dab-c87fe3459604"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>165ef79e7caa806f13f82cc2bbf3dedd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-607c5240-a2f0-47cb-bbf6-41d7645d5a08"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1486f48948db4f9afaebd69c7c52f899</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0b4afa3d-b0d7-4048-a2fd-cfff23620215"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6c65c697bcff935484a5cd2e7dd2e7d2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-79394e6b-e5a9-4781-9564-ac02885bdac4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2a4604fcae876dee445de5ad74fd7835</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9c903320-a055-42e2-87f2-5d9bed5e7c88"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>656baf38fa5ee776e2576cead664d004</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2094bbd3-ad99-43ce-bf7c-889c2a8c2418"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea8b6c2c083d6b7b2b6ebc015b0488ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fa65ea27-a51c-48b3-8443-adf11911b9e5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>98d257a13d176940910d6441a854d7a4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4472c6c0-67a5-4ec3-8b92-32b3a5feb2ba"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>58b020fd3bc0d34e8c4eaf0a3f3135af</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b0da821a-5158-4932-9d17-6b9a2741ea42"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ba56035e10b423734e0ce01bb7bb8b6d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-09c12648-0ba6-457f-906c-50c06c8ccc2f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>23059de2797774bbdd9b21f979aaec51</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5b1888f-0a8f-465e-b4c7-584ae6abd91e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ecf900c9d743631b59442240ac4ce9da</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a69f184-ffc1-4954-9088-c65885210f12"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4192479b055b2b21cb7e6c803b765d34</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3cb5b75d-fef6-4f87-b54a-6211681e6a17"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5a3abb8053c271c58e879b3b9cf8c8f5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ceb77e2b-3bbc-4df9-80a2-0af64730db50"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>37ddd3d72ead03c7518f5d47650c8572</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6905fe9f-e540-4163-8949-c93766ab7fa1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a510d0c9b7930abaa7aa6b0ac294e675</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-439bc68a-8b73-4144-a278-6394ae2cd3ec"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0115338e11f85d7a2226933712acaae8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-64ced20c-d90a-4cf7-b56b-22f9cee399b1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>62ea10608f0d54cd284e8d7be32f206e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a5bd1885-c9e3-485e-97ff-8bad5ac2a019"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c799e1d25839e1efb2b3d42d6d6efd26</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e0d96356-a782-4a50-b27f-885aef4dc2cb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>be74bf5afd4ba64cc8ce237307e9254d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e478b685-9cd4-4c72-810d-6c5083baaf1e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3abe9c84fc13d0a82c1c3e0dced5825d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ba448443-530d-43e5-bddc-22b67729b558"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f07ac0b4301fccbae233a44e07a2a634</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7bd52e8a-4fba-440b-a37a-966154ea923c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c425b8782075da33cba5aae5ad612582</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-68818743-99a5-4a86-9169-0203287e95cd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f67357d9fa1c3014050f2feefd39c784</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3073f4f3-afc7-44ec-9db4-c3f01d8f2d7b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c2e06531a2e6de3c1b7d18b14af53fdf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bfb57e09-9afc-41d2-9220-9b5929713be7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4cd3bed14aaffcf61f4d2948484c4c90</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6f828f74-3e9a-482f-9793-c63022c5767f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>50361f8793258b6e883b31269e053ed2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-90fe8a13-a795-496e-9f8b-eb1bb8700b2c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7d25a80fe2c42368adaea5fcbab866b6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-400a5360-8a95-46dc-8ee6-6fe7adb660e9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d263fed2e1c18f2cb439afcef0cd1b45</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bc4dfd12-d672-4fab-9132-b55a3c6d4ac5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b74022a7b9b63fdc541ae0848b28a962</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a1c9a5b8-5ed1-4b09-833a-11374857a2b6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>62d60a1cd1e7ba73aebc98812e5ac266</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e6366973-065a-4b16-96c3-65fe63516c92"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>86b68ad2e9c33eadf134285ea142ccc2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df9e93cf-78a2-4237-97fb-d0059f7e67d0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ad7bdadde9a4da73ffc776c606dbb75e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6bc4d8fc-f0b6-450e-8c02-3303a2651d05"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f81991fab3b7d58d66629e26d21176ed</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c6db611-de7f-4071-93a2-d595d3c76007"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8cb321a7871706fb6246489cb7c4da03</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5448f210-c950-4dfe-8e78-ac71cd039027"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5e686bd284022e35559a9c6118df8f1e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6f7a2020-2697-40d9-b21e-cc3fef4aa00c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>46acae84a04e41730d0502d9080bbb4a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-26fd253a-1ad5-4d8b-a82f-2b216f57ff69"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>874bb818208655b59a8c4c1ae2aef379</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb8b77e4-6f6a-4a65-8b00-dff78daae9c8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>328c3ebb2fd2e170483e8d51ccc6c505</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e8b335f-0b64-47ba-88d8-ea1dce36434b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dffd04ea26c03d3f6c67e10405abc5ad</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6d795759-4f91-481e-b703-916562a66e38"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>201fb83679a1fe05007fc6b8d6d96680</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e3781e40-e361-4242-9103-6041cd237b74"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>eca18e3872fd32f17410167871fbd1d2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5a539f71-bae5-431f-b1d2-257d6e336a73"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ecf18654e4a2668fb8b2e3db144809af</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2e1db2cb-cd4e-449d-a781-b64099ddc80f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6767eeb485232436de9553988765fb89</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-98b7cc6e-a2b9-45ac-b649-fb727f776d4e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8845cb5b4e450cb10a3b6ca41a9b4319</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-64704b56-5cbe-460d-b1c7-cfd5a563c7be"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>523f56515221161579ee6090c962e5b1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-059c4f3a-8904-4098-8e80-53498e22d5db"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0dd3677594632ce270bcf8af94819caf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d86bf4e1-7aa8-40c4-a3e0-9dabb7d11499"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e6c25f9994b723d39c785ddfd38a31b8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9815b953-8d3a-467f-a6c7-a9ae09a2a854"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>db5805604f84b7303fa04feb18ce8271</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f7af9381-5d0a-4016-ac9c-cfb0202fead9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>32c32e936cffa8ab370c7f3f2dd43d65</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-504afe0f-f5ce-4fa5-a455-8f606460d146"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>91dc97c4b66e3282e1aa831e0bb0bb14</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ee9a4b38-02f8-4d6b-829e-0f4847cb1bc1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9a58cc73e103fd5a14ef3564e35c03df</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fbddb631-4962-45ca-a475-e89b9bd23035"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>13835f0d5aafbeda50560afc92c8b7b7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5d516439-8d06-4276-bcc7-979cedd88ad3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>40b1e9cf468f499d749c0863cfa6c8c1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-76070a38-8e25-416a-a923-48bf21bf78cc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0ccfaeb11defb100b5ddb40057e8fce4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b86c6d5d-7d65-4465-b7b2-7e14dee9ceac"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bc7092008ca37adf497b75eb98e2e175</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-26e65acb-3669-4e4b-8c7f-3199503b4782"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f9a46d5024c05a827912a89ca270c553</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d7d17a34-79a7-4fb8-83ee-cc644f714d73"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>52bd3ceef33900d53315f89538128026</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f325e850-af17-48b8-9d63-93d566b4921d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a4ad7335aa391519cc5fc9140f2562f2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e721a677-95eb-4108-8234-4c6759828160"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a1b924b8c8fa157ae8775fd86f692053</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-33617a49-d597-413b-bc42-bc2f236b8151"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f1ad5daacace5d4a7b18a03132ec2716</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6d5607d4-78ec-4f19-b409-e9bf720c59f7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3b320b90e024bfa48bda72aa7a82322c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2eae3162-26d1-4d5d-8996-5d0a72622bd7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7852b941a46e37fe9b332b1be77a6960</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f79f0bc-4158-4655-86a5-f1124fc98ec3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>465b085d3ddd22f63d8f7721ce5736d7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f2734f96-48de-467b-a208-afe9a7ce5627"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ef6c375e3e6930e2b50e1e97fe6fbcc9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-08c29e42-37b4-4ccf-8a30-42de9cf10c99"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2c9c691e15a48b20dbead0a6d6bf0300</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-40975d2a-84d4-45e5-88cb-4edbcc603dd2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7deed54a40efc12ea03e3f1859522862</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8489fa8e-7307-49d1-8c9e-b18f80ed1293"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>78524ba7f66c0ec4a3755e51709db1aa</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-69b8a457-a26b-461c-ab0b-96804c2f1225"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9fc3ed6c9b8056fbf155f79569ca7cb1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-30b15d42-1341-4e09-b316-40a04761c43d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d8315c114107b7418c32f85e263766b7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c774aebb-f8e6-44df-ae9c-f880a569b26f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cf038194f0fe222f31ec24cb80941bb1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-830ba94d-c674-4e12-8081-407fc389addf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d2f1be7e10ed39aa8bc0f7f671d824d2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6333732c-4657-4958-835c-36daca9af6ed"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9400fb97c145587b17fb456fac636771</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b07056d6-e131-434c-9af3-74368fc71510"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>81602ce95a4b7f3d3cd1953a2456cd92</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e2677e17-1963-4179-b898-1de300cf27cf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fbde5068f85ce0aac2e9ff387b5f8c06</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-76af7981-e44c-4490-a615-260ab230a49e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>815a89041dea3e56348f8f5c8b7d1457</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c473ff23-c8cb-42c3-9a8a-a940fcf4b5c1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0496e3b17cf40c45f495188a368c203a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9c1f6d11-e8cf-4b4f-b606-a564cd97f6d8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b8277cce81e0a372bc35d33a0c9483c2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e3ac4faf-98bd-4dba-8b93-f50e5d3b1172"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2c49f47c98203b110799ab622265f4ef</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-755d1883-a0c5-44d4-ab7c-39e2ec3fd652"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f2009007bd6718582ad62ad29b742f6b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f855af0a-b1ad-46e0-bc0e-277487a85b10"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>565b6fedccab184c92e40483ea49a25f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6d1a3f22-3ac3-4aa0-b79e-7def175feb45"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6d2320af561b2315c1241e3efd86067f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2cb3e45d-cd9f-47a0-8835-56a44d25772e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>86dd715a8d28788e68a575207d66df34</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c30bad26-dbc2-4973-90ca-0cca523d8d1f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a99e06e2f90db4e506ef1347a8774dd5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c6c6738d-7fbe-493e-92d4-7e5b109e7f1c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>592a33f691daa01ccbfc8078ad961b43</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c6aff098-b912-455f-b82e-94a86ebe03d9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3d328395d0cefc67e2909774125196b1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a44c88fc-776f-456a-857d-e2743c0c1fea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c3af09a9fc487314eb4c9fe92a01845a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-89f1b209-555b-4d70-a20a-2175c9a37675"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>94a59ce0fadf84f6efa10fe7d5ee3a03</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-70707d0d-ccb6-43d8-97fd-35213053ad58"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>438401c9ae36e9ed1bf4f410ae116484</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c347c361-b4e8-481c-8b60-cbc68f653995"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6f551594fdf3539c62389c0cf0d2e16a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f55a68e0-97af-4121-85ee-8b23feb6f29a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ef0a6c79f99a537f932a5e64999972b3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3c79f50-830f-4dc8-9a16-eef39da3de28"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>001dd76872d80801692ff942308c64e6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f8d46e9a-c9d4-4670-8ef4-783ef90a1a7c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>16e53c619803d0068611bb6d448d1d49</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c4e9f524-7b23-4fb5-811c-ff5509b39cef"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>68d2fd5049e70942d164e4e25d13dd8e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6e42dc99-1133-4272-86a1-15df3f321894"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>63db2f4fd717723f0e6f94e0a6a62c7b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5b78b277-0803-4c51-98fc-ae8be7137ad0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>33e9ccd45ef133b2c100d5a4f50635d5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3e02563-7734-4a6f-a862-44da86216a5d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cd4674e2b7be30121a46a053205472a8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d871da09-7aa9-45e2-82e0-337091965a78"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>abcaf816de63c632ec23d6bda3f02bb5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5e529a5-1060-462d-a9a9-5b0557dfb725"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9dab4da07ed669b44f409eb60f3b0e50</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fbc61ac5-4068-4991-944f-e67d2cddb450"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2b659d71ae168e774faaf38db30f4a84</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3686bbb-05ad-4b39-a841-954e68bdee52"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b1ee00cec6c2318fa86f320dd7fc99a8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6f1d0d6d-c088-44c0-98c4-7d55d0d3f26f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>66c287675cd4c7172590f71181e723a8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f9e82296-0e4e-41be-8521-0a00db0673d0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>25f240aed433c4ea52ccdb898e43756f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-470dfadb-8598-4cd3-9590-79f90990d336"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1e5ec6c06e4f6bb958dcbb9fc636009d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cb47ec14-afd2-4279-bdb4-1d50313417e2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>523cf1c9741f5f9d11388a58de6a83a4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-049d6404-9e41-40e2-ac1a-cee70614ba11"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ab00b38179851c8aa3f9bc80ed7baa23</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f17913a8-dd0f-45c6-9d35-46aa12027e52"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f02abd537e481109142b6170933d1b3d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7ae0904e-0c1b-4edd-abe2-4530f1f9805f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6ab7fa8e5fb63b8d0723387d0a1ffe6d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-41cbafda-9421-4906-981d-755ab6e2dbd6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>53600687ec97c297f03b4f0f4710d0c5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dcc93edb-8b87-4aa6-b575-ecf5b6a6bca8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3364813bcbd111fc5ec1e4265c533506</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3bba770a-9c1c-4549-b365-7f87e6a085b4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6ca59c9c4165796e08ba6ca3eeffdee6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-493a31bb-eeff-42f6-b431-092d4b671c73"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d6a01b61f490488d61dfb9376186d844</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-474a5de6-98dd-4d75-855a-644a00f3e503"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>eef298d0bc5b8c89f582e48556d77b6a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b66e553d-40f6-41e0-8650-d369b1b5f1fa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a7f17c75519fb8a39d37c47617202b05</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f1b414e8-33a0-4b0b-a277-3dfe614507da"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8c57b287a1d2140ccedd6cd097d62ded</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ef237e9b-e7e6-4247-a161-6c022117ec38"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>87efe3671ef8f1eca57f2d8f7e4711d9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c2bb85ee-a51e-4f66-8f99-cef724ce674a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b47e5d095be9fd61016817359f6c2887</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7cdeed2e-3ac5-4c2b-a9bc-1a4844bc0e33"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>81ce61ed2dc567ce70589386563890ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9aaa5c9-f78e-4c89-9ffc-92e5505e681f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e0c4cbf3ed293e8a8df3f3987b42caac</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-329c1481-806a-4d9a-808d-e9af0c8cae88"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3cda17269c246a2e3bfcda6fa02fceb8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b4e1239a-763e-452c-bf85-dccfe33808c8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1c7538951b21d93ef7ecf3fa94ae5c5e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-83e63fa0-c005-4a03-a0de-1078f44a7c1f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>082cc969b3eb6786e3e951b450b8de0d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b146b5e8-c04f-4123-bc7b-edf4cb9eabe6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>75372eb37415140fa5464f1ebb8a0e74</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4c3c445c-15f5-45a4-b217-f22704f4ed8a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1e48f6ba839d2c4794e23c10e5c4c138</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9c4ed6da-dfa1-4175-9cc6-66d8b6afbcfa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>494637c4ac6d04bb50a681e87b81043f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b7357a94-7643-409a-835a-fc62b2f48ace"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6510cee34da30c7ef5e5e39980402257</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8d9733d2-42ba-4e05-888b-14207129b441"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f9ed623f13481da16a97aeacdca646dc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8523db29-989c-467c-9381-687812c2f1c3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bee9b7835a02973678e9ead683da1ac4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a2bd125b-601b-4d22-8b3b-d1683a08038b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>30e78d186b27d2023a2a7319bb679c3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-678bd135-d0cf-4e03-aaa0-e99df146301d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6c5c5e4049265fffc87973f3e4978b26</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-91a03df2-d857-4ad2-97ad-3da1f760e57b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4cabfaef26fd8e5aec01d0c4b90a32f3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1339f61d-cefb-439a-8ef3-0023d642ee35"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>83b3711c32d28a87b173e7e5aba5f826</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4fc2a0a8-6643-430e-a732-400596bf484b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b1ff1ef983a1aee3a395788ec441d006</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2cb48a12-7126-426e-ba71-939082a4513d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>74b3ee9f3f6c52413db6e5c9ace34893</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c92db0d-d72b-4efa-999a-9b21ca39a30a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>277964807a66aeeb6bd81dbfcaa3e4e6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-900ac2e8-159b-4ff2-875a-6413b7e39033"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>50f35b7c86aede891a72fcb85f06b0b7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aa0b5b1e-79b3-4b33-b2a5-440e4fb1d84a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2b379d5346ffd386c28038630a9b0292</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cf6c29ee-7466-4c54-9dfd-5d9242a67584"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>feb406ff01d9fd5abc5ea079e0543e31</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b09fe8fc-790f-4e45-9a0c-dcaf88df1380"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f4bea18e9d38ab9fa7c1cf6eea2bdc79</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cfcc75f6-0fcf-4046-ae45-7e2963e8c2fe"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4aadab80ce16c588b8719f15e84aba82</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4646ce95-63f7-4e9c-ac28-8178ca526e7d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>18316e6ebb356a66c8ff51e73c1bcc8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5809d567-79d0-40e4-8dfe-0474a3e0af58"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5537bdce991797198a9ff97ff1492f90</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-14557f7d-bedc-4722-8798-5ca8d88ae46c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6c9c9e40683467f60b910d5bad5285ae</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-97929c8b-7dab-4004-a1de-0d6d49e2aca5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0469a42d71b4a55118b9579c8c772bb6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ea0db72c-9809-487d-a72b-cbdad623497a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6a88f170ab6cb0f9b3252adc61b4f487</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-232a1e95-18af-4ed1-afcf-53c8e51a31e2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7e56369d466dd3d85a9b31f65ee8e551</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a0af6b2b-7b7a-41e3-a532-106a6bbe8068"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c21591aa72ac72872f5bd05bbca5e4da</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4ecee824-7a09-4905-8a03-d1d77e31ef98"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>120c2e085992ff59a21ba401ec29fec9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b7df8f63-0e68-4545-9608-49db64dc842a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fd37fa026747059559197461aa7c63e6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-865dc2e5-3c94-4862-a9b7-3c44fc0fb16e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ffcc7271e951055f12b61f520ce1e4c7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e7ff6c13-a488-4c9a-8110-97fa63b1bd1e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0ec0fcd649f3d5aa2e19f110c0089164</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a0be44a8-8140-4f5b-a0aa-d165bd5b6c15"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6b4ac249f918be9f7bc64ae7fdda947e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8e424f3a-0c4b-4650-b157-a6656050a401"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>772c771e13e599cbf25bf9e0199681f7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a48c9093-ab8e-4001-a381-013299bbefc1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7b451bbbdc840378b785bed6b9e30e0f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ca714746-cd7b-4d9d-9698-913df4ebc11d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6db47757ba324bb61ce3cbcabbec52d4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-17565c08-0d52-45da-86d6-4d2b784e00e4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a6b99080565aa7933d946b8b9d9d7476</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-851ea564-2c94-4620-b15c-3f9d76f02a74"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>70bb674fc97d7bf4d8dbbe3636f65c4a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9017943d-196c-4858-923d-dffcebd77bf6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>eb50c166074ae4f13cfea362dc7b668a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-feaf6521-3217-48f9-b2e3-8a3e465fe764"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d76ea982d614c66c5faa36ab5fdd8b41</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b1ebe4ef-4f07-4e17-a1eb-5d371baec782"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5dea347d29a3e9c21c52385a10224b65</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-75d8211b-d323-4b7b-a6a9-b37eb6dcf9e5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a1b8aa19c92c257cbace54337f6672d3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5772131-a3ab-4680-9fd1-784c452e045c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7e64b28b0050d23970478c81e8037470</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c97e7b64-7ab6-46e8-bae1-9740ebd2624d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2d08595e73de31a36c1187fcaac73bf0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-71e7258d-3bd9-4e8e-8be8-1a98765f0223"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d915f1c6792eed61dddb30e512e6c202</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a708371e-4f3e-4e91-bb1d-35d0ce21b866"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e50af782414228e52e59bcbe518b1966</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-af49aaa4-20e0-4d53-8c5b-ef0ef0e2faad"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e06145fccac413d8c753bc822619945c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-106e85c9-31cf-4805-b69b-e32d9770acca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9c36333385d351e59d6c4372d757479e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c97a502a-1674-4f08-8a5f-3b1f90ad8381"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0522e955aaee70b102e843f14c13a92c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb7b444f-3c8f-4f6e-9551-315d3dc75a9c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1097ca5269dea866d5c9f2b0cc50af6d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d2554707-192f-4f1e-8f4a-caa41d2c9db5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>04a7b7dab5ff8ba1486df9dbe68c748c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1cd3f828-f29f-43c6-80b5-5564ac64e24e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>349f6cfb77bb360063c477e9b6ca24d6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e5ab65e1-6116-4dc4-8838-11d79b05317f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5ccb52a8e3c31dde2ddbc486a2215e85</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2c4d7c13-218b-42a3-9883-7755bd88ced1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>633cb95904ab9dc0a3de4ddd443494e8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-87b5674b-3f4a-4a1a-a583-c363caf0844a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d3f9d4bc51db1e602093e3003fc789d9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a6addc82-4546-40f4-9e2c-1838b8abe6d2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>56c8ff5c6832f1e31a59e0717c3ab79c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-441d6825-81cb-46a2-b5fd-50733dea2336"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b661f78279ca0b2e0ae611013eb00f20</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b76feb62-b32e-426e-9110-9f8759417ce3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9cb07b71dcd1ac9dfdbf9f4cdfd4f273</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b8d2eb7c-f294-4040-8077-246b13d59a63"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5e1d81618eaf005b8e0cd63fbc9a4937</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-553117f8-bd7c-4aa0-914a-6377de0f3463"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d5e56f7da9d2a78e49d3d0685e9613ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3c791684-0fc8-4bea-a715-10d8ae67cc19"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9371fcd92ef86ccf450af903bc74ec01</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d05fa418-b565-44c7-ae55-b9cf7cf00cb7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>760339e927e391e289bd91bad4cd59c3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-53db6475-a3ea-4afd-a3ee-c19b0b9d6a58"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ca899eda2c32e7d305272dd48bc8e1e1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f2f0494e-c4b3-4349-ba9b-b97727f7f79b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>389f43a8af199da8da6b7c75b2c69595</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d6ef728a-e155-4323-9a74-6be5710fa548"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d8b7b276710127d233abcdb7313aac36</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3ea0215a-6b3d-4a2f-b782-4a75ef23a07a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6a4fbcfb44717eae2145c761c1c99b6a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-73319afd-e722-4ac4-a163-6d3d4c1bcf15"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>af719814507fdca4b96184f33b6b92ea</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0c29ca36-997a-4d5b-9a10-5927b5359231"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>827040a5f5ae8de281a63899224b2f3a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-82573a72-d55b-44af-abbb-bbf832d45fa6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>67504a0c2c2bf47efccdab5ca981ad7d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fb13b7ac-aab0-4fe5-8858-bccd055d9b90"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a4903f7c293993069f865468bd7cec78</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-196599a8-1153-431b-96f7-fe9ef358d268"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>46817cabd6618d2126067430a78f06a3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-198e1c60-b090-47dc-a38f-bb7524d14397"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>605c1dc91a5c85024160ce78dfac842d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-24f6b24b-9d09-4690-be1b-06459464dd60"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f3f2881a1cf3f81f1ecd952ccb616504</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eae9116e-675d-4590-af90-435206d5e280"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0588ffa0a244a2c4431c5c4faac60b1f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c1ffc0d-09dd-438c-917b-e7d2224a7238"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>da52e6701c9eba92459c6be28efdba74</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5a8b6e5-74c5-491a-81a9-3d08f61c8697"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3de60420845a582b0e44081b1138a7e4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d51048c3-30f6-490e-83f7-eb2df1e87a41"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fb671e6de6e301c892d2fdaa58f9cd9a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e84c04a-6f3d-41d0-a130-5bed5cd04520"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c9f77569aa98f71cc42644d66d9f371c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2727239c-d01c-437c-a7e3-2940b1fafed4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>69dc1e1ee273e531e91c60eb86396cc8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c523c024-241d-4cc9-9b85-37c86be82a20"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>99882234b814b860a22b4d441b92fd82</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ff7636d0-a8c6-42da-ab0e-39157ed18d0e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>024fd07dbdacc7da227bede3449c2b6a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b548d814-ad9c-4194-9972-b7d4bb357171"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>adb2fc194b960e694aa450161f1df6fc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ebca2297-71eb-41ae-9ed0-082400a4f867"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7127241c033c403b18bd281d0dfc4e31</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-82cf46bf-bfbd-4569-b211-fe00bafbad8c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7712d05c8b499fc7a1f4a6a6b6dee825</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b05ac8bd-8653-4313-87ac-8cf0ecd1fd52"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8fc5fb519a222ab919f28d21545774c6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-707b6b73-3139-429c-821d-134dfd260c96"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fa66312d7e2ed95814f30871cae61d7c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f1dd09ad-62f2-46b0-98fb-f9cafb77af1f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>61b4e2423dd21a145fc977ef55fe34c8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dbbc43f7-f85e-45e1-b9b9-581208823275"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e6ff80137734a4882c3709a235802d6e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-559b6918-c898-4778-9215-3f21039fd44a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec63f49236858c85168da81c1ac7802a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3711a61a-bc46-4ad8-aafa-17f9318b5010"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d25be76b6d871a26eec08ad1bee0273d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2df54931-2584-47e8-81f4-82058940b2e5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e56e4b20ef6dc09d29be49481bd29561</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-905eacc6-46e0-4a70-947d-d7ca8e43e3e4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0545a524a6bb0b042f4b00da53fec948</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-639f8281-4437-48ed-9f4a-1c6f5e6eeff7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>651d83c1b85acb204abd5bf7990a1298</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-814200f0-af78-4719-a82f-341dfa71ee57"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6ebd05a02459d3b22a9d4a79b8626bf1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-16c597e8-4b94-4edb-938f-0810e9ef2690"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>db50416d9e67f4982e89e0ffb0ade6f3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0740cb32-98d1-489c-9c55-fcb686453f8a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e64d657ce32118b415fa91dc05037c4c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cac202fa-8555-433d-8023-5f79fcfc03a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bb286e9969ca197b461286b679c0886e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8c293eb7-075b-4104-bbc0-41a76cea08be"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>98bddd6c789a883afa1de3524bb8ea8e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b2282f60-b90a-44ee-91cb-59f0f0b962ec"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>11ccf3f93b00b01887e50283742cd1e6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-053ecb99-8eb1-4e92-8fd0-1d8154375268"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ff2d1edbcaf04e8a02dc61fc225e2b91</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-807e98db-f7b4-418a-aed6-72dc19f05d76"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fad92f849e3bbfab211af339eb6a8d66</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c8645b0c-d8bc-4ff6-80bd-71a2de3a0bb9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>55886d571c2a57984ea9659b57e1c63a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6d5c7154-48eb-4792-baf2-e6d91f6cf36d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec09d3b72b282872db4afb0cc9ba7d9d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb66a3f5-f29d-4d55-b732-338fb1b701b5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>016da6ee744b16656a2ba3107c7a4a29</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2672fb23-8070-4b6e-ba51-383087900160"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e5237615fde0977c0ea3626fba609ab8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-76c4f060-bd17-4e8d-aae1-4d70dd565d78"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4a54d7878d4170c3d4e3c3606365c42c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bcbcaa06-a184-4c65-aa5f-74ab8be16212"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a7117612ea6b6fa3307943f5ed21fbb4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5d051b62-04bc-4b61-8670-425f975bf378"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>41a5d40ecc735172b18b61e01a30a178</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7d5b5ff3-41be-4d24-9c3e-c7723c1ae807"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a639f598d4c0b9aa7a4691d05f27d977</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-036dffea-62da-41c1-bf3f-5367d5bf536a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>10a68e08c514d3b69296b0eb557d822c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cf7ef16f-a838-4e17-a21f-551c7c737858"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>02c65973b6018f5d473d701b3e7508b2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-75929f3b-081f-4df0-b464-f1f256a609dc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>933b11bc4799f8d9f65466fb2e3ea659</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4fa8838e-2668-4081-a83a-fb91d8cce1a8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>af2f7b070245c90bd2a0a0845314173a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b56bbb81-0344-4b4f-9d12-60765bc45bf9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>baabd9b76bff84ed27fd432cfc6df241</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb141ed4-e569-4ba2-a0dd-be481088d1fd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>588c40520a3cea27d2b35cd1fa05e23f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e3d10dac-f42b-41a2-828d-c7f0df2ab24d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0c5858f293aed44ea00eb9e0019609df</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f52d963-743e-444d-885c-1222938a1849"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>775459afc5415984dfa2a0f533011763</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5f1e9bb3-2072-4dc9-bd51-175e75500e08"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6bf9083f1567edce004bd1f7c456659d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3165b381-f361-47e5-bfa2-6254b9a95f92"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f172ff6b65140f342e6ee51966ea3c4c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-353086f3-f7d6-439f-8a7c-b7bf83ec4e10"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fe5ba680a96757ff232d4bad9c0db2b8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dc71ba29-82d1-494a-aedd-2f21a089406d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3f33c0dab564c35485fd227d97b98443</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-22587830-8355-4949-bac1-effe145e45c8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4c858a80df0d6de5d69824c9502b65cf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-73f9e853-feb8-49e1-9373-c442800a3882"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9d75897d9c0a5da7e95082ea5ae1f648</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f303cf23-b998-4fff-8b0f-dd427b93b00d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6deae79fc82df523ba99852266a33f9e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c0a9f30b-42c6-489c-a1a6-d68fb32d5741"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>08f21a020f41f0bcacdc9427f84987da</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d4cc4757-d9a0-4e3d-a9e5-93fdda1328bd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9d7499c3a01daba5c9b5090b079808ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5d96e91a-e8af-4279-aff8-f7ee1035b553"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>99a29ccea951a950040f3944abafed40</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28e36290-156b-472b-8697-1fd83214f159"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cc7c8aba24c66373502ba5934696b7b6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5bacb83-ed6a-449f-8435-aaa14829020d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e9f3a771196ef22e150559d9f819eea9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fba246d4-63a9-44d8-b683-7a8873edab4b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d0fb18b1e1f642f595a4746826350c21</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7cd0d0f3-629d-4d23-9be6-f0e87ac83de4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>342939e5fe4770c545659a6bf1e50df4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a1ea4b28-4641-4d32-b3d9-77e88596e1e3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>03ae71eba61af2d497e226da3954f3af</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-25fe922f-8c85-4036-8b66-4c0a14035066"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bd402e910e03b70f00685d8b8be5093c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-83b80c37-dc92-4520-ab62-244cdeabeb9d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7b3ce6c2af1acd119a25831fac670bab</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a32d815-3b5d-426e-b75d-1fa9d6669b19"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a34234a27157851300d9b698f6c56d9a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-794fb4a0-ea6a-482f-9e0d-d247c8685518"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c4f144febf16ff8f36df15353d5347ce</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5a2d6053-025b-46c2-b34e-3393d058a54a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2cdbeebcf4e0b6dbd24b8c7b4cd6d862</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-db42b8c8-8970-455b-893f-984bcd429fa5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>989b797c2a63fbfc8e1c6e8a8ccd6204</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fe942121-30ee-48a0-ac71-ffb77fa9419b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f3611c5c793f521f7ff2a69c22d4174e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d1269ce0-b8ce-4687-a57d-e912eb453a87"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>609d917a7f0c526b0d8091c8191da376</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-73d21b20-8517-4c34-80d2-aab23275ffdb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>687a58dcbc076b04bef4ec6050310fb5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f6d336e8-8698-425c-bb52-39a177c16abc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>215df0c319b98dad4f202849b097f8b2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-820cd5fe-38fc-46bd-8b8e-1e54123fc4c8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8387adb5325035baa3fe3a2b0cb4921a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-16c32e93-5328-4c6e-b3d3-033276ceb53e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b43266a047b2895399f4883cfe37c089</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-31dabc58-f045-439c-8ca1-7a4cc5de75f1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>959c680c26f26e7f1dd61607942dc96a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9a222096-0778-45ed-9f1b-97097308d772"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ea61a0945bde3c6f41e12bc01928d37</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b02ded2c-f824-4146-a3f1-e6fc5f6c5599"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4962cb3f255b2eaf48847c754d2a553d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-42542bca-6c09-4f4b-a2e5-b54d69062a84"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>50a3aaaebae6cee7ecb150ac395276b9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-17942e46-f4cc-4f97-a68b-24388656b57a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b8f61242e28f2edf6cb1be8781438491</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-be3d5ade-520e-421f-a09b-d65dd3346ada"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8fdb15f3d5480de78c61ccef23722683</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-01bce683-12e0-4566-aae4-8f819bfb4d6f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a2feee5e0ac3f825d4b7de7e0b95bb1f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1bb4fad-f3f0-4d7a-861d-c4302e4b1f37"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>950234183528ce107d65b700be1bbbd3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7d002204-b850-4193-92d3-3016e95d59d1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>be58ff564c854be419a19a030af25c86</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-31268200-df2e-4252-8359-ae7a90433cc5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>68c67a6e26855ebc2569d67689c69a6e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fce682eb-b3e1-4d38-a42e-2de5eec1c850"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c39e272e9ea15d61e0c8e6b749a1ad46</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-69718092-b9ee-45a9-822c-1eaa4a997d39"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>17199ddac616938f383a0339f416c890</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f0aeffcd-c53d-4176-8b7d-7018c848bf6f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea1b44094ae4d8e2b63a1771a3e61fd5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b771e7b8-6f7a-4f66-8714-faf593b28b7e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6eb99bed5b5fcb3fdb26f37aff2c9adb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-024dd82e-75ed-4574-8ca0-9c55c63e354b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>17f6602f1c507b006b9d09eedcde0096</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3179c759-84f6-46ca-8143-82908ebc34cd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fc1937c1aa536b3744ebdfb1716fd54d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ef39982f-d403-4c7a-a1ba-5c598ecc8dcc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>05bc8309b93676087d5fb0b58ad5e9d8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a68353b7-e572-4766-87f9-09b5e5428fe5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7a7a46e8fbc25a624d58e897dee04ffa</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-459bd1d1-b0e4-446a-931a-3471c2dd1718"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>77fbfed235d6062212a3e43211a5706e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c4703fed-7e16-4d10-a9df-0edbe18fbe1c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5f837bbfd3b458321070e2aebca4ec46</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a19e1652-b5fd-4c7b-a201-0bdfa1bba90f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b6f2f483e03b9399f055a1ba5e0713a4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28ad0026-1864-4eaf-96fe-3029613345f5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>06598b0490133815541c5ac023623e82</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b73a948f-25cf-4b6f-90bf-a5224d7edadf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>76c1b246703a10cb6e71a3e5b7b55b24</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b61c3c5f-e034-47d8-bcba-c84628799458"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fdef1329ae626656c8389f82c4f9ad38</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-60f513ab-f989-41c1-b7a6-14338b505108"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b883f8e5a1420d1f511266b9253c11c4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-24cbc42a-3990-4270-b87c-2e14ffeb17cb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6f4182baa5a57b717cb9d850dfadb60a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f8a37975-06eb-48f6-9ff1-72891d974715"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bce4b77a4e4acc70a3f6f52ec0a2f033</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cdbac038-6f51-42ec-96c3-ae1bb9b0ca68"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0cad42671e5771574df44a23b3634f32</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b224b921-23c9-4cc5-968c-0f31e1a9fe53"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e72fd40e47e232496b303734f1b2b11</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0600e80a-95a5-4849-abf4-f5b0f037b3a3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>eb0c8b05ee6a4334f45968cf45656597</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8528458b-c27e-4539-87d0-740419f90bc6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e32ab6a2eac5bd1cddd3146d1a1348b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9b8eaf1-5f27-4f7d-89fe-d34c7f5ac6f9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>611c8f862864af818202865b78ad7ca8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a1bbbc9-7936-40d6-bb12-ae6d0ebbef1c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>db2580f5675f04716481b24bb7af468e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e37f6f41-81e5-41cd-b3e1-4472636750eb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3de1bd0f2107198931177b2b23877df4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dabfafb0-f038-4c46-bae4-72c9b2c47ace"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d62cd4ad2a919b6acfa6d49d446dffdb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f9ae4070-21a5-4c49-bd11-ed725122736f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8153b612499dbf432e2d9805b20ae783</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6a89b4c0-718d-4f6c-bbb2-0cfaa81360d6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>81b03cbcfc4b9d090cd8f5e5da816895</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eff16361-6bcb-487f-b12f-7c7524975aa9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b5e9ce72771217680efaeecfafe3da3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-055e7e38-b434-481e-827d-d46104055c40"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>53b263dd41838aa178a5ced338a207f3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-86a57228-9fe8-4ea9-952c-2bd01b4d79cd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6eebee2aebd5194db62cb8230502378c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c412bc98-8edc-424b-9416-33c7011bf3b8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b0538781d47dde1e9a46a2610155c2d3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8a2f5ff2-237c-4e45-835f-95b757469ed1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c1f60ffbc1ff1fb7241cb034b831c6de</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3ff255fd-4cf6-4155-aaf5-de033933493e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>31b1d316b46c967c80fe7398a9e4cf41</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3409584e-e89d-4b18-8f81-c0f3a96a22b6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>64fa1239f5aa9a9031e61533283f8c22</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-271340f5-a56b-4651-950f-ffc9e77c0ca0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>01e0dc079d4e33d8edd050c4900818da</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b2dd815f-0016-4240-b831-7c3190aa3c0d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>567395a3c720fcd09eb75b6c188b8687</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d74d9b5b-58d3-4ef4-a818-c83695a2a7af"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>79f3bac2826f8511c96240758af116b4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-03f0423f-c6db-4ac4-9b57-319d43ecfb99"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>99a7e4a01b813b9b26ba76bf0b484742</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f2b0f996-240f-4c98-84e1-795a91af6157"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>79841c13f645118a600d19def3642d1a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4fcc4a24-31f0-4de9-b404-19a84e785839"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7fc52a32337386d867a952a2c8644353</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0d6bc525-8980-40eb-b177-25199a431e05"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d5fd1ce9189cd54f157d691e317c0821</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad26d135-7c06-444c-bd9c-148152936129"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>212c724346400853d05a4440cabd716c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad2b7f76-8999-4855-be06-95fe7333eab7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>173cd315008897e56fa812f2b2843f83</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f9691ac4-b7a6-4a68-8ab5-ca6d45166fca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ac87816b9a371e72512d8fd82f61c737</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3168aba4-6246-44d6-a79a-cd6b067f41ad"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>15137b710414e4e8508ac5ab27e2cbaa</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8fdb58e5-116a-41ff-a7d2-46e56f9439c5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>24259ae8b0018b0ce9992fb1d9b69e2a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-949db1fa-fc0c-41d9-90c9-ca9314c654ab"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b8dfe540bef505cd1adbd5f8ff31d028</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5419754-1d7e-4e0d-ba79-061896bf8389"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b1838a6c341260fbdaf288795cc63900</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e105b49f-391e-45e7-86dd-eb2d8087e30d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>85c828f5ea5d99e0c98017f6d6be243f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a931fac9-3d66-4f67-a96b-eac1d080a898"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b92db06d17d3bf906c47a0384e771076</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-40fe973a-354a-440c-9c01-793d25556721"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ff9aa093a37819af65a06046ea0c830c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ccddc305-d691-4be8-9c78-333e2a036daf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>57cfef3e32e60df11b8d2c5375f3185c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-80081b94-7df9-4aef-8137-73e0c2c8eefc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>150c4c1f589c4baa794160276a3d4aba</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ca97b6b3-ae36-479e-b7ff-9363f3169447"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8dfbf8a46d3a302fd420305918e9414d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6610f26a-8c07-477c-9fa1-21dfd3050f15"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d4ba6430996fb4021241efc97c607504</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-42d0ed40-0e93-4624-b28a-2f1e02b71c71"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>268988aa1df82ab073f527b5b6c8bff7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-549b908d-4d7c-42cb-bb21-ad2ca1c313fd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1baa7f5813e259c6346d1b02a1370d75</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f59fdba5-77be-4958-8488-a5e7a476a21c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8454918f639a1b0719e00627f211d2ed</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a7eb94d7-36d5-4b3e-b15c-905cfe3440f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>75ff4bd6b209b6f10472c4cd22e3f9e6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f30a28b5-289b-44a4-a057-6bb48b209b50"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a96a6c91e71e243f00a64f53e2fd6415</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e2a7d3c7-66e0-436c-b7ff-6dda4a2d182b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b3af1381f69e36b72e5b272f06aa1fa2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c98fb076-c73c-4339-9e81-1603d71c14cb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>35f32431a069398d25efda2dafa32d93</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ca8a127b-c365-4406-bb58-d965f17d3072"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>543e03cc5872e9ed870b2d64363f518b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-de622043-d18d-4570-9c41-785e1f926d04"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>830e5cd6d590aa65dd3e2c1a01b42259</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-69e791a7-621c-47fe-84d0-8c7c3c4c5539"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>286f48dda20e2ccc3250a6e09a130db1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f2b05d1a-ef70-47ae-bb16-0972c5673db8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b5a430a0696b5b25ae6b4fa5cbfe3333</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-abe084a6-95c9-4e2e-b50c-48634b049e8d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8f3d20c983f9d82a8ff17466f45ee757</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d091bd18-9d30-4a5a-b73f-4e5686c7c61f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>390d1f2a620912104f53c034c8aef14b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9a0d7892-fe69-4f2b-b8b5-6bf1459adbf0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dfbc95c0eb1ac9b17b9db8053734b11b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0339701e-b944-4d36-a744-1a2d1dc4984a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>44066f29aab6a9379f8dd30f6bec257d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-efa91ffd-9547-45e5-8f43-830b30630826"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>830a748959bdd1ad3b6a1f72aab6f063</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-71d2a49a-782a-4cec-8706-9d637847c256"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a807ad465b2fe5859c85626e97eaf907</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-37423a2a-23ec-4836-bc6c-e91e3bbbc139"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ace798670a64b38aa7d065c776b49f17</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-12571590-08e0-4061-b6d1-eb491408217c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0cf9e999c574ec89595263446978dc9f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b254ec57-2b1f-415e-9b4a-d0fa1824ec89"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fcdaa67e33357f64bc4ce7b57491fc53</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d749c083-a4f7-40cc-8c67-28ac66e114d1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a311516cdf06d3db4f49e67da5213ebe</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e6799d98-6e76-4b67-add5-543c27b1ce11"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dc78fd49b7f39fa3bb06b927e8413dd0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-031173b9-3d67-4eb0-a9b2-cb0309e1d4ea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>321d75c9990408db812e5a248a74f8c8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-10e80b2c-58ec-4ee0-94ed-dab861d672f3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5bcaa2f4bc7567f6ffd5507a161e221a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2c8d7578-f766-410c-bafa-ad6b2c465d5b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d0d5a20c5a6c4fddab4d43b85632b6a9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e7727486-09ce-4567-9500-3ab2d7314def"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c99fa835350aa9e2427ce69323b061a9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8e383de5-dc05-41ba-bb1a-237d315752fc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7f1a4bc267ace340a5aa7a0b79cbf349</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-27c0377b-ae5d-47d8-b7b4-369a5e19d96e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6b6c4c0e2959df248be90d89899953a9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3d15fc1-a35a-4427-a3d7-f2f32da400cb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>698fbe7ed1ddd7f5c76b86fad3f7a485</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9d71ef02-d837-42d5-9697-01909ef67497"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c307bad133cc160a0129fda4c57e0f52</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2be3fe72-f623-4db7-8546-37a789c51737"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>77dc072fdd632c12bacc09ceb8e6ee39</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7d0a3622-cb89-4387-98df-46cce2c03eae"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1328eaceb140a3863951d18661b097af</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ac970ae5-b767-4853-bc68-56e6902ac774"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9d85a2ae1e7971a49cb417d97797ac8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ebdb3df3-a53c-4df9-bf81-abe1d85058bd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>08e0d0f5cdfe1bc2e5fc1b992fe1e073</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5236ded3-932e-400d-9941-07da6e92de13"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>89164a973ae081991a973aa9d5cdee7c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-998d432c-ea3a-4483-8c2d-90fbcb6aace6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cfce9478c880934b3548c3022a956e14</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-95907c16-e72e-4a13-916a-57d216ca5ba9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0583f58ac3d804d28cd433d369b096b8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8cc362ec-5bf7-4829-9374-35ab06631eea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>15244d2321faa3a271ff0b1e5a23148f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5a213e2-e862-4ba8-8f1c-03d5a8d150a0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>41d623c1de3b0d182c51e56b2a3f3fba</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cfee9e99-7cf0-410c-a733-6d5955e9fc73"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ca327bc83fbe38b3689cd1a5505dfc33</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d8911b27-17cf-4264-9a51-68d111a56068"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d34e357461c55d90c52309c1ff952b4c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-61a03b1e-0e29-4636-b0e1-491b9cf40561"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>30a7aa13b1f8d272cb36576952e8b6c0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ced89bd9-a6cb-48b0-b401-b76a5b3f95cd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>089c9e5407ddb464dfeca2e528536395</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fa8df09e-f458-4392-b8e2-733500f31483"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2976a62c2a829a153a9b0b5f433bdc77</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f9951faf-1de8-4b86-927a-a800b7537245"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7aecb34616245eb6b2906358151be55b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fd457d34-2778-4cbe-978e-c95a7aa8dfba"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>86b1f3874bf741a3f9c0d74625af5f8d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a7134924-b7a0-4f1c-b818-4e38f2c2f63d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dd21d1ea2146861a4219b1cbdaefe59b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2238b0c8-37b7-49a9-83e4-4f1861409940"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5ff3269faca4a67d1a4c537154aaad4b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e6db3c7-b93a-43e7-ae3d-dc44910f0c5b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cf9c2d5a8fbdd1c5adc20cfc5e663c21</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-031beb4a-f30c-4bb4-950f-99c9a762691f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>097b5abb53a3d84fa9eabda02fef9e91</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-15526961-181e-4767-81c1-22e7f5d0444c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4f763b07a7b8a80f1f9408e590f79532</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-54e1cfa7-5b9f-4dac-9b4d-732bb293815c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f627990bbe2ec5c48c180f724490c332</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-511936a6-ff5e-4463-ae3c-7c304387ec73"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5e42780f52763c77d592044e535e4b01</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5dd6ca2f-564f-4d12-ae49-07c9b8c42705"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d16947b200afa74a917f055597b772c0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4b1620f4-94db-4cb7-98d1-7141c7568631"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c04c796ef126ad7429be7d55720fe392</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9f36688c-aa19-4d6d-ac0e-58dbf963cdff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>95d85aa629a786bb67439a064c4349ec</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-be21f52c-fe43-4511-9ab6-fc00e6b23282"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4c9c9dbf388a8d81d8cfb4d3fc05f8e4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4494ac88-9ec5-4190-b3c6-d083b6ce7c2d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>36d5c8fc4b14559f73b6136d85b94198</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e07a2b0f-b23a-44d3-9047-5579172d4936"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5100f0a34695c4c9dc7e915177041cad</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b60946dd-61b1-4e52-b3a2-577f717334cb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1415eb8519d13328091cc5c76a624e3d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3c518aee-4064-4202-8a4b-de3e8a10a40c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c41e44045cebebfba234063de8fd7c4d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5216c57-dd11-4343-a269-97abf7e8c45d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a5b581c0600815b1112ca2fed578928b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ae8fd0ff-f4e9-4d36-ad1c-5d7ab6b5e4c6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0908d8b3e459551039bade50930e4c1b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a076efc9-286e-45ad-b1cf-10c1544614e5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a5d4ebc0285f0213e0c29d23bc410889</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-11395907-8fc0-48ff-ab5c-0fa2bf0e8d2b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d22863c5e6f098a4b52688b021beef0a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4226b629-8bff-4b2a-87a7-e5fac402c3cf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e87051b1dc3463f378c7e1fe398dc7d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8bbb0362-5760-4b81-9ec6-8732388d2e35"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4b19a2a6d40a5825e868c6ef25ae445e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b339ef46-6452-422a-9421-14c96a48bfd6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>70a55fdc712c6e31e013e6b5d412b0d6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e74cabc-58df-4e91-8256-0a8cef0b8144"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7388d67561d0a7989202ad4d37eff24f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d9efea8e-5f1a-4893-81a1-3022410a2359"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>aa4f1ecc4d25b33395196b5d51a06790</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c044212-b4c3-42b1-98f0-a23db4579307"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ddf3db31f9fa21cd43ff19dde393aba8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0a45a393-c5bb-4abe-9fe5-55884ed3301e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d7796209412da17b2ee2ccf2309b4abf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eccbdeca-17e3-49e2-86e6-d9a958b282b0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>95f25d3afc5370f5d9fd8e65c17d3599</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-876efde6-d854-4985-b4bc-38eeaf6ef402"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>002325a0a67fded0381b5648d7fe9b8e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-168e96c7-27ee-4dd9-83ef-42068e64e550"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a24112e4b875038331d2672b6427763c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2146b9ab-a964-4949-b0cf-0ee322674c97"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea7aeea782173eb19ef880c6a54456f2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-78a4421d-77f0-4baa-8b0f-4e502e1e6341"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>31e5e58dbdfad05175613e795298ebb5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b0d3d267-a266-4f4a-bf73-bd4bf33895c1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>11504971bb85cdacb8ef7d45e6e2aeb7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-13e6bd1c-3cb0-4045-8183-1bcba1a00bf0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>36c0d3f109aede4d76b05431f8a64f9e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3048ce00-8772-4297-b560-661bd502930a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e83f60fb0e0396ea309faf0aed64e53f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-950b8512-8dae-4155-a5ce-f5a5a87d85fe"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>af2745e8888f2ba17a9cf2e0779d3874</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-742e90a6-04f6-4c3b-a5d3-99f524401478"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c69a708a2a8e4581dd95f90da3833840</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ca3fb6b4-0230-4d9b-bc05-3030c8e35c70"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f4ed3b7a8a58453052db4b5be3707342</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-55e8ea00-8198-48b9-8706-858df3791137"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1e314c972075b8058099fd8759c11ce8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-65937d7e-c289-4f93-9738-b1b70b9db291"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>75dad1ccabae8adeb5bae899d0c630f8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-296b347b-44c5-4379-ab6e-47586c09008b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e54ce5f0112c9fdfe86db17e85a5e2c5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7708d1e5-a710-45ba-ab53-2b47bd1ebec2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5c6f30cc369cd164d44941d381e282cc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-38bbe2e6-52e5-4546-a24b-7d8a8a7be008"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d7aa32b7465f55c368230bb52d52d885</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-03cc9226-6a52-4bdc-b8dd-5b59290e24e0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a241eec892637dec971bd925a40d3efb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-79043b13-593d-44bb-a968-2cc4796ea553"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>55fb1409170c91740359d1d96364f17b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f831fe68-6ad9-4c3b-a458-da96e99bf51d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c91eacab7655870764d13ba741aa9a73</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a8dafce-2759-407f-b933-58f880373498"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>123505024f9e5ff74cb6aa67d7fcc392</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3712e3ad-c73f-4ac6-a060-ae91e5f4b209"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>929802a27737cebc59d19da724fdf30a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6a0c1869-51f9-47bd-b5ab-6dccb1e5c4dc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a8b2ac446c614fd5d4880d95369deb3b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e2902c12-d2d9-4430-b52e-f50b3a3cda0f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>57e79f7df13c0cb01910d0c688fcd296</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0dc669b3-4708-4b9a-8342-39908c8fda76"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8934aeed5d213fe29e858eee616a6ec7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6390e920-b130-40a9-9c47-65e95ce704d7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>871cc547feb9dbec0285321068e392b8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9992608a-b5ec-4de9-bc6c-ca680d901747"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fab6b0b33d59f393e142000f128a9652</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e5e238fa-ee3c-4b90-bab0-f4e51686deb8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0b506c6dde8d07f9eeb82fd01a6f97d4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-78f7038b-c6b3-43b0-9d4e-f008ffc3d39f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6808ec6dbb23f0fa7637c108f44c5c80</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e206f2f2-91fa-4226-b125-b1d62a4d6a4d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9d93fc89fb6e0a8142e837b2de045fdd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2d4e4cea-ac61-4439-9103-2df82e51dd94"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>00dbb9e1c09dbdafb360f3163ba5a3de</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bbbaa9f5-88b4-4769-9295-067830277580"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2ca8ba14ff07ef8616372c53ee84d20e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-97fbb0b2-280f-4652-a875-3ab57069fd94"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1c16bd1488163c03cd506c2f71486a0f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fc91331f-c835-40e8-a9d0-c8805a056ec1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3a4cda1973cacd78740ff30774d6375e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-af547634-8c89-45c3-b523-d1c69dee87bc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6377ec0c87f4ec1e7897751dd85d73d4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8d12f279-1dfd-49cb-9bc6-20c391e261c1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>257258344edad17f689b1c6d14833cbc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8a1917da-62fa-4907-bbe1-a346b341ecc0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>68e5bff12ac33ecb98977afed51ebad0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1da495ad-f5dd-4d85-af38-2e1eb9dcd87d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3107de21e480ab1f2d67725f419b28d0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aff25096-ef94-4f73-9d6c-b137d311b76d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>727a6800991eead454e53e8af164a99c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dc43aa34-8044-424e-9149-8afa4ff0c577"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c39bc83c16f9db8a7c43a966048bca7b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e8fa3d4f-1ed1-4649-9fe2-4a06dd4bf0f4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c72edb12880a9af12b439a7a2d0584c1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f23bf30c-ef3f-4534-ae43-5a1a27f9b299"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>11de4b1ab84bcb8dd28ef0ea4641f6d0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-33566849-1f86-465f-9bd9-d3d72022c7f1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>338782d2df367156a2c7e12e9526c600</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4fb0d58e-5b9d-4915-8df8-6a6b5047c285"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e689b1fb0610b752f42adafc403fa49f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-99656710-b8a5-46e8-90eb-2bd5c875a1ca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b86e89a42a1c1bc6ea15096c68e38ba4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-051542fe-3415-415a-a8b1-fa809229fb26"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dd1bede0e42d26fd2439a6e48547023c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-95f6e322-44c7-4ef4-848a-0fbe23c5fc1b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>370c50aea66cc338b37801e1bd1c244f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-540da951-fcb2-43f1-89a3-495305c3fd10"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f0bab119faa296c680a10ba81693915e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8a03ee9e-5043-4ce1-8729-0c12a92a908d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>07ae235391f7b290ea3a35067239a290</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f9e0e6f8-9b2b-4b81-833f-2ade30521be4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d47b04327157fb188c0e81886e346c48</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4719129c-3284-4b72-a7e2-b67e1d76b3e9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>468ff2c12cffc7e5b2fe0ee6bb3b239e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b88fe4c2-2780-4e86-abc9-1fd01d05f1d2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>476fea8761a03bef16e322996c2f6666</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-24ee6705-c3d8-4304-9a06-4008a9a23449"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bf9aeefc53d97bb23d35d47986504cef</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-92f1ffb0-0478-433c-a45c-bdb3fca452a6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2daa4a4574ba06aa3203ae0e0b45b3b8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e80dbbec-1827-4c76-b561-4a826a74ec76"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d9fb6620e4402764bbf2088de02898ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fbc4c735-31e5-4ea6-bd69-c8c8c49614b9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e476e4a24f8b4ff4c8a0b260aa35fc9f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-590410e3-cbb5-4a58-aba7-2c8f849f7e07"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4e551abcd14506092a0f8d54a45f3569</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5debc8f-5481-4f4a-a8f1-f9e791be932e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a6117891e42ee7db36253b57839c8b8f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ee66514f-48be-4d66-88d3-058cb83c21c7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>61daab56e07dfa3a236d8aec9eb80545</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2353a63c-c816-4a3f-aabd-3e7c451964f8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0b13a21fb9e12551685472fc76b4568a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9ba05a25-54a9-4288-8d9b-19d1633e382e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3f243b304358041fb163007e0c066d4a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0c862527-c7a6-4721-846b-674360e02d05"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e9df2f69ed3d9c895ad9d399eaff1bc8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-60c2eb4a-09b9-4cdc-a25d-cdcb6b2d048a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>878e8edd77ceef481fa486d0f77bbcbf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-95395c68-d46e-46cf-8c34-cab57248c436"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e649f31f7f3a7b15ce1290e8d096c058</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d88551f7-346a-40f6-aff2-9d37b191b2a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d8fdd9cfca25315635378dd2564094ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8c17b911-940f-48e5-a9d3-a1a37b874a73"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3d61d23c2be95177937aa50769c0c512</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5e3109b-d003-4e43-ae1b-dd211ce39546"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c3de028cbc5aa0934008d95689d5f334</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dddc6df3-bd6a-4f9c-b64c-e41eb6a2a160"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a1468ce16f2d17979cc1a61878c1c8c6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5515aa67-956d-453e-a5f7-21cbc3b6bc01"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bc756bb6bf4e7b2058e8dce6ba8b1a79</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fefb9769-9a14-4e4b-bb43-b11ac1ea5d20"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f24b4d7a2dfc2cf2625985e880e52356</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e4ba4a24-5fa0-43b1-a710-55c1060ffbe4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0c5e9f564115bfcbee66377a829de55f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5ad007ee-80eb-4111-bf39-4beb81513c04"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6f9992c486195edcf0bf2f6ee6c3ec74</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9af5d073-4bcc-4b57-8add-450b271b8d7c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3a45d4bfd1f919f167ce4a5e5ba00e15</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bdd720ac-a60c-48e5-a701-11bce6df9481"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>43b844c35e1a933e9214588be81ce772</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7f63da93-6a36-4931-bbc1-305ee9445d3a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0d0240672a314a7547d328f824642da8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad091b9c-f29a-4f0f-a50a-a0d11290feb7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1a0c7e61bcc50d57b7bcf9d9af691de5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5fffb910-e9d0-4919-8fc0-7afb3eabe2e6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9e860622fee66074dfe81dcfcc40c4e2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-55fe4b5d-70ed-448e-ba29-26e285605e6f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4c6bddcca2695d6202df38708e14fc7e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0484c86e-0cc7-4f45-93b2-ccaa72d35abd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>585691777080b419b523938edd3ba2d6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2f0e18e2-3d62-4d5f-8523-0f5deee4e6a2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>eefa8d6c9a26dcc13604b11bbe5635c1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4c974f84-2a25-4971-8926-c08927cd92f6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8d251ef81b1e2251601a7b2b0c03ec05</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3a6eafd-ea13-4671-89f7-54441ffa55c2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bd15714360c12ffca4c3c1e86fc69d0e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a83301c8-e493-4376-aa6d-d0900fe3de18"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b54f58c484f56c704858ccfffbb9d535</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-efbc08ef-d619-402b-8958-31d69ca7ab41"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ca27a87928443e21dc279008008018ba</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-132a00f2-2ea7-4840-a64a-61dd8e5f6a41"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f6549d4a4097bac446acf8b31d250d2e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5117db30-f6e1-48a7-85c3-5fc54bd09520"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7a660a9e48f6065333f388f2c0a67bd8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0a82d11c-ef7e-45e1-b1d9-afb1908c132b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>759b320aca72ba446e7e156407ebc10d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2d23d214-8c30-4615-a7f8-502377704091"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bc723e4f93a3bf85f4d1e1910393d1a3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9450b911-ff5b-4ca2-9291-f77794b911ac"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3f19992be3606c136b15041207daf6e4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e16a4b65-7734-4a99-ab70-5bd5d2ed2973"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>54d5d171a482278cc8eacf08d9175fd7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c126266f-2951-4a8f-89b9-8e20f568b08f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d271ae0f4e9230af3b61eafe7f671fde</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-48a465c4-15ee-43c6-b54d-efc49ab756a5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9675827a495f4ba6a4efd4dd70932b7c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-78db76ec-e88d-4910-9cc8-bce5a97300d6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d8238e950608e5aba3d3e9e83e9ee2cc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a9781e3b-ae53-4128-a71b-cee9245ff0b6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>17f5a2e0997b59449ca2120b20b5b7ce</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dee91341-74a3-4abc-86d9-fef25e10d246"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6bf8f1f99ac5bba0db1b66518df378a4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-12d4130f-cc2e-4381-bd02-b3d44f4833b4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c6a4bb1a4e4f69ec71855d70d6960859</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c2be8c2c-0d24-4456-aefd-b23eb2b6f0b9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>689dcd40d5eae8c0d315265f3d90ffae</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5140a1b-8e85-4dfb-b63a-1acc5eef20b1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e480c8839e819eaa9b19d53acfa95052</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b0b379f8-7193-4a0a-af42-efea99dc4af9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8cda4e0ee20ddd00003caf7947af7fe4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c67a21b6-8a52-48f7-bea9-713f9e90b2ac"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4788960e489197f2633f581607eb0d26</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b6d6fb31-f0d1-4c76-9dc7-fd18d7c99a61"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7a7a46e8fbc25a624d58e897dee04ffa</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d0aa3f97-a750-44c2-9997-ac2dc9b877a9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>be58ff564c854be419a19a030af25c86</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-57fb3999-92a2-4c02-b5ec-0e05e151b0c7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">help\svchost.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4685be44-fde1-4cfa-a08a-c5dc536f461b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>sdwefa.gif</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-74f6d69a-7497-4553-aa6b-d43b5821a7d4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">Microsoft\wuauclt.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-27a80dc4-6220-4b79-adae-6100cdbcad22"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">help\svchost.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5eef2e99-9a20-4513-ada7-74e06d9c3fc2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bd596294-f70f-4401-bea6-5069ba7bd850"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wuauclt.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b451f468-0c0f-475f-9493-9b67ddf9050e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2c81eec5-d9df-4726-ac36-1629970bf2fc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>10240</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-da67532b-372e-4f1f-8631-f4e0ae1185f5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-16T07:10:50Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a784718d-0dff-462c-8b26-ca1114361fe9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-079200ea-25ad-4d16-ab0b-9dd72b49b919"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-56afacfd-0e57-4061-8677-24f1bcb36ab0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c1fc3c1-fd6a-4848-9d7e-5bbbdd8c21b1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wuaclt.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8371563b-64e3-4461-a0f3-63e429f5ad70"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">help\svchost.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e93266a8-02fb-422c-981f-6af800981077"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">run</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>currentversion</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ce68864a-3815-4fd6-8e29-d1a5d3b91269"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Name>AdobeCom</WinRegistryKeyObj:Name> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2fa0874d-9c46-43d3-8fd9-6a042da17ade"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>70a55fdc712c6e31e013e6b5d412b0d6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d24ee18d-f0b6-4d83-bc53-05cfe0d9cd3d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1224527e295380dce1ac9953c850ce97</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4e197d86-fb67-4df7-a36e-ff5028eebac3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>15901ddbccc5e9e0579fc5b42f754fe8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8a7f6dbb-a84c-41bc-b608-346aaa7bb3b2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>62bee50b480f6a6aa427a00464baf376</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8930ade3-1c85-4847-be0d-8427004d612d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c2fa9f567fd34fb14fee6a38b6644ff9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8fbdbbd0-d7da-4a19-9218-0e058cf8b18f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>eef298d0bc5b8c89f582e48556d77b6a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d1d1b452-8db5-45d9-9a63-cce3a33426fd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e4a9b8993e55e3d0ba355b13d1f27a2e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f883131c-f756-466d-b16f-cad183b228ad"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>71173ad2bc7b39342b1bdaadeaaa0d8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d4c672d3-88eb-4f22-8553-f8cbb376ced2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7cb055ac3acbf53e07e20b65ec9126a1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-204e7327-0e0c-4cba-a595-f61a7d60e840"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>da383cc098a5ea8fbb87643611e4bfb6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0558aa4b-6126-4621-bb95-f276c7107745"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3b0829e2e966dae17d4c235893a3ae8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cf3e8804-fcd6-4f2b-a4c1-52d2fea7eff2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea34b72cbeb07aaac2398704c3ca6b0f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5efec108-ba4f-4519-a779-0ea573127fb8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>753ec12f61c2f7c9a5763c9063a16106</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-888f495c-08ef-46e7-aa45-05b324071b56"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>da60673b4f2a4660d2734a16a832282f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-76e93ed6-826c-42f8-916a-23de349fb622"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>497f07f54a4c29fe3be1a15f4516e32d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-10d7f76a-5b8c-4fc1-b373-26278d7f530b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>12f25ce81596aeb19e75cc7ef08f3a38</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f6a9ab21-43a3-4eb2-995c-42814a0e6003"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2244c60f4c1dc285c259f3ac5bf88ff8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b6429584-2467-4f20-9b84-edb96212aab9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>82390e18379710df84d48881a1c1d0ed</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0665b3ac-863a-4886-8b27-aa04223b038b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>78524ba7f66c0ec4a3755e51709db1aa</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c8955f74-70e3-4bb8-9793-22f31ccf307c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>46a86e3c12d5025aa78c7ddf46717c38</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-95bdaae1-b151-42b1-99b0-4887617d8288"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5a728cb9ce56763dccb32b5298d0f050</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-97651762-c8f4-42fd-9f38-151372a06610"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f2693de8b687c20aca98bfc1c5aa5b38</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5c24431-7fb7-47d6-9720-67c7dbcab2ba"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5d8129be965fab8115eca34fc84bd7f0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a119b647-4dd7-4c67-b7e7-4640d164d082"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1fff3f96f53c5bbdd39eb2351f12549d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9032003-14c2-4437-a0e8-ab5a54f975f3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>034374db2d35cf9da6558f54cec8a455</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-377925c6-0383-4da3-9eed-4ec34576425c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>43b844c35e1a933e9214588be81ce772</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-90982168-dcce-4180-905d-9d3f5c462e45"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f0d2ad2002557a86ecc780bf938b6dfd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-87b997f2-0f33-4aeb-8910-c9ba92ec1650"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>acb99e5318f7001298df1aef51a9463e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-60ee0427-74cc-494a-9895-45a320e42d0e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>693f711d8fab66a3efca98a19a733d56</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3656d515-5956-47e2-9221-93156eeb878e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>52cb7fed85bd7ff6797fbc70105a09fe</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3c9a57e-c858-4e0a-bd20-10e775f20c41"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>268eef019bf65b2987e945afaf29643f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fabb66bc-d82f-474c-bba6-6e0425b13b73"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2a214ce037f5f6bb01ddc453f0265d92</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cd1c45bc-dff7-4ddc-8642-e2b4b946edc6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7852b941a46e37fe9b332b1be77a6960</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2da2476b-9152-4b4c-bcca-05b5cee9078f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>80bca9f272152280a462f84f1588c0cc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a36beb6-03bf-4035-8028-f938f04f9a94"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8c6ece2ade2bfad3171c925baa64af50</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d0a234db-b50f-448d-88cd-e06940043796"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9d8a7970be7826d29732817c0cc84bde</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-034ff744-892d-441e-84b5-fe922abed392"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>522d32a505f78f09303e689999a3e461</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8c463e9-1d78-4d6e-b8c5-5bfb922860ae"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7fc52a32337386d867a952a2c8644353</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-44046fc8-7c02-42c6-b26c-b1623eb7b16c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3a3e4bca1197e4abab03340ea97d718d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-53877678-f17e-4da1-9336-698063493cc6"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b50152f3-886e-4132-81f2-bceb91b96629"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-08f7fb65-8884-4b6e-abdc-c09c064d7a3a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8d12babf-fa50-4637-af25-e313cfbaee21"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b7ca6cf3-b21e-4ce5-b66a-5cd57ea4907d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6d0cc478-3e68-440a-a6bf-e9b00e9acf85"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\system32\irmonsrv.dll</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e9d45424-4a97-4ca6-a6da-6abdf9d25764"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\system32\wuauserve.dll</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3a44244a-ead8-48f4-8e4a-b5fcadee81bf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\System32\drivers\own</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28104725-75b2-4abf-8269-4f854514a608"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\temp\ctfmon.exe\svchost.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e0da4965-b6c6-4afe-a6f6-eede4fc3177d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>SvcHost.DLL.log</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-294bb491-f96f-4bab-a8b5-c26f65d2acb7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Sections> <WinExecutableFileObj:Section> <WinExecutableFileObj:Section_Header> <WinExecutableFileObj:Name>.upx</WinExecutableFileObj:Name> </WinExecutableFileObj:Section_Header> </WinExecutableFileObj:Section> </WinExecutableFileObj:Sections> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f836ade2-a72e-4b30-8c56-cb95d341c828"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Sections> <WinExecutableFileObj:Section> <WinExecutableFileObj:Section_Header> <WinExecutableFileObj:Name>.newIID</WinExecutableFileObj:Name> </WinExecutableFileObj:Section_Header> </WinExecutableFileObj:Section> </WinExecutableFileObj:Sections> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-92c6e3af-79e1-42dc-a02e-4505e1d6e459"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Software\Microsoft\Windows\CurrentVersion\Run\AVPSVC</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive/> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c09d8f4-fae6-41e6-892e-e0bc785d5cc6"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Software\Microsoft\Windows\CurrentVersion\Run\McUpdate</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive/> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-037dfc3e-7d9d-4630-90a5-dee0c18f407f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>iprinp.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-34bde6bc-b8b0-496a-801e-40ed15bee252"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>regsvr.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c16e08f5-98b9-42de-8001-d386041c368e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>regsvr1.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-18f232ee-cd67-47e1-9a2e-fdd3298233c3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-71df27ee-4eda-4afc-8409-ec4c58da3473"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>client.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad64b6cf-4af2-4f3d-a2e0-2fe3e6b30cdc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>nwwwks.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fc106d4b-f060-46f5-80c8-ce8033193fdd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>winssleep.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cde6ab63-addc-4103-a889-b56c4524b701"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ipinip.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4016c737-ebe6-4aa0-a739-7c46f0af893e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svhost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c550ff6-3986-48cf-a2d5-fcfd41f20b0a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>linssl.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f454c870-cb2e-4a9e-b31d-0f9d068aca31"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>iprinp32.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7f4075e2-7dac-4b0e-a276-7eb14c70d765"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Nwspagent.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bd302583-bcf1-4e69-9e8e-f0c973a53cea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>avpsvc.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-02e5a04d-e5ef-48a8-b455-c6c1c325925c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>CSVCHST.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6f87cd10-39d3-413b-b3ca-52ba7a124f49"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Sender.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28924f62-5441-4632-97d2-5d35a4213976"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>lingyun.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c14a804e-cf50-41bf-88c4-550a25a2103b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>regsvc.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-99013664-03ee-41a3-a38a-ef120f81cb58"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>nwwwks-2.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-44055711-fe03-48b4-b8d2-50be225edad8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-54a85d32-a165-449f-8b6b-f8203a69b954"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-77d26675-49f2-4cde-8991-460e2da658eb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-36b204ba-de10-486c-98b6-288c0c2ac6d8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>17306</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-90242cd9-546d-4966-bdaa-d4467018c25a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>311296</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7d8fceb3-7717-41bb-bdc1-61a29d0028ba"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>33280</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-50de64c1-250c-45f0-a66d-a03be1e88a1f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>34304</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8d335f68-cdf6-4aac-aaa4-7aab25cc0fea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>35328</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-29ce9cb1-3829-47f0-b933-6fea33cb61b0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>37376</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5af465c1-ee05-441c-8b4f-687a13c442d9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>37888</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2fc67e5b-4b1d-4135-919d-3c15aac0b494"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>39424</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e5a489d-61ff-4079-aaf2-7dc8fa96d977"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>40654</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f511fe11-750f-40cf-bb04-348e3a465d49"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>41472</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4c0947d0-3f60-4c95-a587-580bce510b1b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>41984</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b81acf6e-417c-44f2-ab24-da18c03965ae"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>514048</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bc69843a-17ac-42de-82bb-1a15123dc1a2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>519572</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fc2df9d6-0533-4850-8421-310d6c90813f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>570880</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-97c2473e-edac-49f7-b5f2-4b98bb62e1a9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>571904</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3f6a93d-912f-450a-a3d2-1e92a03b64b5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>573952</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8aad2a97-39dc-4f48-841f-3cd77cb86cc8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>574464</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3f9eb2e3-e31c-451f-9dc0-555d76dbf4b4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>594944</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ea4ed5d7-ae07-43eb-b5b3-205cde14f99f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>608256</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8ecebf97-b3fa-4aa7-aeb9-c811031aaf9c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>622592</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c0f94cf2-ac62-4ad2-9c92-7d3423524757"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>623104</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e4bef386-82c5-42f1-841f-2416583b10c8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>627699</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6165ef6f-3e35-4930-9b09-da0bb501cc96"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>627969</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1b8d482-5742-41ad-96a5-6cc84d9e2c37"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>628522</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ddb29c02-9846-49a6-9593-a47847be732d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>634880</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-12ea288b-3707-4d7c-8eb6-050b0af38b6e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>638976</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f2ab503-9e54-4ac2-ac20-fc1118088afd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>663552</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-49d7c7ee-c519-4d9a-92e4-d6e7a129229b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>696832</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-90ecc391-05ed-4eb4-8ad4-5a6303060a6f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>89088</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-711ea5c1-93fd-44d6-bdfb-0de824ff4a09"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-06-19T01:44:41Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-638f1639-79f0-40a6-acff-f8abbfb615e2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-06-19T01:49:12Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-21f15ae5-0e27-4634-9dd4-fdcab5b00301"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-08-08T03:16:50Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3c443832-797d-44c2-a62f-d56b41c3431f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-10-18T01:53:40Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-30100aff-c0e3-4818-b46e-6787327f8a1a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-11-09T14:09:05Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bcb220a3-50f9-43ec-a55c-a52f90e1c779"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-05-08T14:55:45Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-500257fb-af21-4981-985f-ebccdfb6641a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-08-19T09:57:41Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-87e53cc0-7898-45ab-a5e5-bd42567053dc"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-09-16T09:20:31Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d7e24af2-a583-408f-ad48-0c14e6e4f360"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-10-22T00:12:21Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1b530efc-85d9-49cf-8d72-17860dcb49fe"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-10-24T07:49:13Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2731fa87-36a1-432c-a408-6484a5e593f8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-10-27T13:48:37Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ba4f0587-bf1e-4830-99e8-9efe07904d07"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-12-17T07:19:05Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a6c97c28-a44f-4b46-9537-7c433c670244"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-01-07T08:09:33Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3bf514e-f634-4531-b9e0-6de1b3d0c4d8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-02-13T02:54:17Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1a433fc4-39d6-4f4f-8dac-6d83f3f9f685"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-03-17T00:16:47Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6318dd4f-b1d4-4022-9ea0-93d3b561744a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-03-17T13:21:25Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-98a89637-0403-4967-babf-e31546ba39fa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-03-20T02:52:43Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-129fff37-b218-48df-820b-aebb325f2611"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-05-06T15:01:12Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0a073e04-6778-40f3-bfae-ed3eb8b46ed1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-05-18T14:52:39Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4d677650-5373-4fa2-8d77-bd5fca86dc38"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-05-20T13:12:38Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-24f4b96e-46bf-43ae-9cb5-c25ac6fc36f9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-06-02T12:20:52Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ada070dc-7615-47ab-bac5-a8becc87b4fc"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-06-08T10:17:38Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2ee86912-e2e9-4a0a-bb54-0b19fa74418c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-06-08T13:06:51Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9eed4ec-2ebe-4bd5-9150-76f7d6cf0e8f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-23T07:21:19Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e8919344-fd16-4c39-9811-563e77359924"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-23T07:36:19Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c97d939-b699-46c9-af68-cd3a9d26eb24"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-29T14:12:53Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6dc1a5c1-cda9-47fc-9fe7-11e3433f3682"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-29T14:34:24Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7bc24894-a4ea-430f-aac5-12f4b4afa84a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-30T08:58:55Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d191f9cc-8cfb-4761-aeca-3fed66493e27"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-30T14:04:14Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-449b69ae-9af5-4614-8071-74751ee11b1d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-08-24T13:16:23Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ae5377a9-14c1-413f-8fa2-006ac9a060b0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-12-02T09:25:25Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3ddc54ff-0a4d-4a6d-8bb9-cc0aaf1b8200"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-05-20T03:51:53Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a0a53167-d29a-448a-9316-61c056c2b7c9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-31T08:38:59Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9059fdf6-0e03-413b-b0a4-3bb1c38194f7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Type condition="DoesNotEqual">Executable</WinExecutableFileObj:Type> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2ab4f3c0-70fe-406d-9eff-bc9a2274042f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Type condition="DoesNotEqual">DLL</WinExecutableFileObj:Type> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-09e43b8e-cfb8-43ad-9f3e-1619a113ee70"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>skeys.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-278e7759-8fde-48b2-9865-5109fc72547b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>rdisk.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-334a9473-ca52-4a7b-935c-db28407edef9"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Service_Name>RIP Listener</WinServiceObj:Service_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c2fbc8d4-abb7-426e-8439-f36516abb11b"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Description_List> <WinServiceObj:Description>Provides access to file and print resources on Netware networks</WinServiceObj:Description> </WinServiceObj:Description_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e4c0642f-5384-49e7-b726-9b7b93b1d046"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">System\CurrentControlSet\Services\</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive/> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d0732571-13ea-47b3-8c72-8b7bfaa7e866"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data>RIP Listener</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-289288d5-7bc7-4d43-9975-716aeca1f42a"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data>Provides access to file and print resources on Netware networks</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0b1d861b-8da5-4ba9-83de-5452b69d7ff3"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Name>ServiceDLL</WinRegistryKeyObj:Name> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9c488d78-e35e-44a0-9616-ba8d732b16b5"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data>iprinp.dll</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cb4724b2-7a5a-4431-a98d-7d263c9d44b9"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data>nwwwks.dll</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9d5cf402-5631-4390-87ea-971eaab1df1d"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data>nwspagent.dll</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1b508cb0-76e5-4abf-8f9d-5fa8b1d43f0e"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data>iprinp32.dll</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-320e1c11-38df-41f2-9300-26f3841072a0"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data>linssl.dll</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-833c4845-a222-4fd0-8f27-021994a147d0"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data>ipinip.dll</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-09576f11-2a61-4ba4-b028-50915af3ff1f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8412a3e37499f8289faf54546824ab61</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-115348b8-1dd2-47c8-b7c5-e527d1f16290"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>56de2854ef64d869b5df7af5e4effe3e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dabc9e54-b4df-4a27-8d9a-08d88d81ecba"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9e30b1665077b7e65bc8ff1e7c752306</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f9485db8-ca16-4b54-a70f-81e48aa8e01e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>106338ad223b84fbc2528a55e3e22302</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fbbfe38f-d0e2-485d-b646-50a95ad67e42"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8462a62f13f92c34e4b89a7d13a185ad</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9dc8abb-9158-4977-b086-0f1168f36326"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>15d1330be5e27f6f51d011b0575ffa05</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-919418e6-81e1-4fe4-b3d4-8387d2994158"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>75dad1ccabae8adeb5bae899d0c630f8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bfd57cda-e423-4f87-82d2-dcad4c60a4e1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4b19a2a6d40a5825e868c6ef25ae445e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2f1fa842-f779-4fa9-b56b-26ba8607dbdb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>54d5d171a482278cc8eacf08d9175fd7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-be2960e4-3574-43dd-95ba-3cb4513152ea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>36a7c3a6460c98e161e1005c925da0b2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6401f7da-2c4d-4b72-828d-b69a295581f1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0fbdc6e3f79063a4773d4872fa1f15d1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-392ba790-2c1e-4acd-86db-7e1246788195"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>acrod32.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f8bc290b-0168-4d53-afe5-02bcfc8a3f82"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>adobearm.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ae2d031d-f8f4-4be1-95eb-dde6c523716a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>winword.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e1ca34f2-6f66-4a8e-ae99-b231aea90ac7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>defwatch.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-416c4674-b9f7-40a1-96b2-dc688e28eca4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-615cf836-6147-40de-b0b9-10dab8393ed9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-64868346-be1b-4343-ab0a-60a6579ae58e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>18142</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-466e6f8e-dcc9-43e8-b1fa-1eb6b509923c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>20313</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-32100cf1-610b-461f-b9c4-ff24bdc9f023"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>20314</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ce23dff-9674-463b-a3ca-24627166ec3d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>34138</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eb9c7619-beb5-4323-8380-dc71c80788ca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>81754</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e9c54005-c94a-4863-b6ff-8195d62237d8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>85574</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0d4e7c5d-31b5-4741-98aa-f5b43ae77c2c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-09-17T09:21:03Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a53c2636-8a86-4edb-9038-ded5af8c9da2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-03-06T14:10:18Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c25d74ab-cd2c-4dc2-b66e-320bfb658c5e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-06-11T09:35:04Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-be83cacb-1875-461f-8c9d-5c54b35a8e95"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-03-15T12:47:10Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ae13d20a-fa0f-42cb-92cf-4a6145d6b8d1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-06-25T09:26:47Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d249a870-df60-4c2d-8c88-5eca53ad3afa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-29T08:40:16Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-611abf4e-9345-4f81-a17e-9b37fa80df41"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-09-06T12:37:01Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1fdbe819-1261-40f5-af34-f3891ee08f74"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-09-20T01:17:47Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a1a9931d-9305-4154-9863-174cdedb89d4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-01-20T03:14:28Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8cc88d4a-c3a4-493c-9ccb-a287f1ffd336"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Type condition="Contains">Mutant</WinHandleObj:Type> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b3352aec-e4f9-4c70-9eab-2881bd91bbd2"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name>BaseNamedObjects\Sm</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-efa96288-2925-4365-b9c4-9288c4b914e3"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name>1qasw2</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d9cc65c8-8dd2-4713-b6b7-ce3f805ee413"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name>ijnrfv</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d18237fc-66cf-4c1e-8e1b-070c973838fb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e81db0198d2a63c4ccfc33f58fcb821e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c9de010-6064-4f37-a6b8-772c322c987b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>909bef6db8d33854e983ebccdd71419f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6309924e-05d3-4b7a-aed7-07f7bcda7d46"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>36ca55556280f715e2de8b4b997a26c9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0054b13f-d945-436e-9215-edc85b8c68bf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e212aaf642d73a2e4a885f12eea86c58</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-60ed73ff-67b8-41f0-af6d-9ed5d2c7a3dc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>86016</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0d62048d-f30a-468e-a1b7-ccbbd5b9deda"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>getmail.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a902acc1-c1df-4135-bd12-fdfa4e287208"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>gm.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3c4f6ff1-6624-4b39-bb17-112982236598"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>winps.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-028ce6fc-3fa5-4a27-bbca-07cdde3898de"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-52f12703-05dd-4d91-ad8b-687cf5e86d19"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2005-01-05T01:38:18Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6b4ed60a-1213-4984-8127-e23d060e56e0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2005-08-18T09:17:08Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3122a156-227e-4058-9159-0e809b4ecc68"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>53248</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a70f64a7-ab3e-44f8-b3e6-d0517139f18c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2005-01-05T01:38:19Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3ab20d6-720c-4851-975c-608cf88ba861"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>getmail.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3141d62-465c-47ab-a779-4b5d86ad363d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>gm.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a104a0e0-ac7c-45a5-aab2-8047ef9e2a12"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>winps.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-19f59c70-6176-45d9-ad53-767b0280ef66"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dc124fa9-95c5-4b57-b8e7-9f760a866821"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Microsoft\Windows Messaging Subsystem\MSMapiApps</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>SOFTWARE</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-828286b6-7a00-4f91-8dc3-12ec0ef75c46"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data>Microsoft Outlook</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3f47f982-2feb-4bff-8084-a27ae9be2332"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Hive>winps.exe</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-78d7f05a-c0f8-4c82-a254-fc9204d4d852"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Hive>getmail.exe</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-92736fad-0584-4d5a-83aa-5a44a832802f"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Hive>gm.exe</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-148e4d5e-e213-44c4-9c5c-69bbe81cac77"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b13d3ec0-de0d-45ff-8e86-dcee2de09053"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>docompress</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-62ad77d0-740d-4194-8b7d-6e111bbb3b99"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>doencrypt</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fe8a59d7-daf4-406b-9bef-6735886f3e76"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e9843f5-7b07-4f36-98d5-0db35273c3ed"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ad7bdadde9a4da73ffc776c606dbb75e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-25984cb3-718e-4e36-86a6-d5717e292c42"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>64fa1239f5aa9a9031e61533283f8c22</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-af6ba778-2a08-479c-b160-64165af07044"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>855ca1b45a247754ad91d50827a2e16c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5ec8c197-fbf9-43aa-9cd8-b911e5114b8a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1e5ec6c06e4f6bb958dcbb9fc636009d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-71b2195c-d115-47e9-aea7-bc8b0593f923"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4962cb3f255b2eaf48847c754d2a553d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d2eaaca8-8910-43f6-af9e-a8996cf1d7f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>WINWORD.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4274254b-82bf-42c4-933b-6b6344d69097"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>1.jpg</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d282426a-3dd3-4564-8f57-c712a26c7555"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5e42909-d002-431a-82bf-bf614b3af020"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>winupdate.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1dc7c88c-5d5a-4ed9-a850-18b599a77e3c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ca4bdbe4-eb7f-427f-865f-25da34fdd4d3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>13312</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a48a6229-e93d-4926-b6c1-7d01e3c8214c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>6656</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bf34594f-fa9c-4df5-82fb-bb526c7cde69"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>7168</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9b3fd816-796b-44c5-b31b-ac3f6ff5c2d6"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-16T08:40:50Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-70e66e0b-ca90-49ea-9675-71790d1e6b4f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-25T08:10:07Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c0afcdb6-b030-4112-92c6-fffb0f38b4fb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-28T13:35:35Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-085f588b-d255-4d7b-9b26-3eeebed7f9f2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-01-09T02:13:05Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb1f2c6b-9599-4c0d-a877-201c4988b720"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-31T02:42:08Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cad19ddc-10cd-40a2-ac1a-0e6a06752a01"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>urldownloadtofilea</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eb71184e-305f-46f5-8219-c385f9dd6757"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>internetopenurla</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5bdf04d0-249a-4ccf-b426-adf1b101c011"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>regsetvalueexa</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-39da8878-6a04-470a-ae03-a5d6891b5204"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>internetreadfile</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6aa892aa-f658-4e99-9834-f63ac4d8275b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>createprocessa</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1c9b84d-71db-4b6f-95e8-0cf03888e557"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>deletefilea</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-27b7f3ea-cc8c-4d56-9220-77e86de77f39"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>copyfilea</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-20cb151e-bd47-474c-ae05-f750119a3331"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>sleep</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-435ba428-56d7-4951-9be0-4b01f1cdcaaa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>getcopmuternamea</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a625282a-a5d8-4bbe-9d54-975e9ec8b96c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>shgetspecialfolderlocation</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dc50ee9e-0165-429d-97d3-ce06a35bc18d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name condition="DoesNotContain">getprocaddress</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6d15ce62-f683-4cc6-a7eb-ebdbefd99ab1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name condition="DoesNotContain">loadlibrary</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d9028cde-7303-4206-b0b3-6d01aab350b1"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Software\Microsoft\Windows\CurrentVersion\Run</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive/> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-20d9cc91-974a-4c29-b6c8-3c4a46021e70"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">winupdate.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b805e1f3-9e23-4502-ab7d-f0de4c85cf3c"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">1.jpg</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-58731d71-5941-445e-8649-fc6fa652e563"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">svchost.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-569c4641-8dc1-407c-bb09-62097735ed36"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ad8cde8841208ff226e04e8514dc699c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dec6e160-07e1-4b2d-9e27-79d2e62f7754"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec3a2197ca6b63ee1454d99a6ae145ab</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dfda0e89-c86e-4194-acd9-e403f0fa0723"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>adb62105427567ddc11124fc27921c40</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4170ae29-4544-44d3-b44a-f9f3a3787544"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>84b83d0e8682e89747eee6ad65e21832</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-65dab442-cbe0-4d3c-a307-513950691b53"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-36fd8439-0949-4f7c-bda1-f2582745391b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-525c8fc0-a40c-4efa-91bf-2220e96ac0a1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-35fc9391-a264-48d7-8847-e7b9f452dfab"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>48640</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-671c01a3-3ec7-455a-82fc-8ca84f8b0919"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>52606</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-80569e90-06d8-4abb-8506-a3a55e876c56"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>81920</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ee25aefc-1da9-40e3-b23a-ec529abb4954"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-10-31T03:49:45Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e3249ab9-187c-4450-b821-fb0bf08d52ce"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-12-08T01:22:53Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-97153ba0-c8e5-41cd-b7bb-d735a7ca33a0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-03-16T13:30:51Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cfc55f27-5111-409f-b951-c81ae2244273"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-05-25T07:58:16Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1f2397c2-3985-4b86-b10c-13be9e606f68"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Microsoft\Windows\CurrentVersion\Run</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>Software</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bc154de8-6af0-469b-92c6-57c51768cfa2"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">svchost.exe</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e22f0176-f4ea-4ec1-b25d-b232f76c8777"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Name>AcrobatAPP</WinRegistryKeyObj:Name> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-26815ccb-81f7-4394-bc0b-c162e0544d5b"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Name>MSTDC</WinRegistryKeyObj:Name> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c8a420e8-3eab-4327-86ae-0cd34c2c7cc3"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Name>SVCRTC</WinRegistryKeyObj:Name> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-683a261d-0d11-4d81-9974-f76244cf5f7f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8fc5fb519a222ab919f28d21545774c6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8164f745-0c7a-4971-9534-c32795908588"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7aef47f9fd84669976c4b152910a6328</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a604ece-4051-4e9c-bb04-00e3d9b62919"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5bac505fdc202e1c6507ef381a881ed1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4af929cc-8c82-4bee-ad17-dcf502c2f6d0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>29c691978af80dc23c4df96b5f6076bb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d4cfaa14-c00b-4729-8730-c19bb7ccaca4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>966db6a32ccf7e57394706abc3999189</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-caa9294b-a600-4186-9ade-64240f10e7e4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>668b92feb7cbcc7ac75ff97dcec28d10</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5a75fcdb-49b6-4907-90c1-be1211df0d1d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7b3ce6c2af1acd119a25831fac670bab</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-746e58c4-5833-4d83-b0fc-b7c8cd13d388"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ba10b9486043f76bb9e9a160bc1d2576</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ecf7494b-0ddf-42eb-bfd1-54caaad7b6c3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>68af7be698e8a7408451c158c04a9712</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0d0fc96e-7cbe-41d4-8ff1-27124e3b67eb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a1cb8a9f2b8926afeb254a64f1d78ee3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-547ce69a-45e6-447d-93cb-e3f8408a21f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6846ad52c9208830ceaf4cfd81402015</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cd2cdf22-32a9-4631-95e3-1ea82be40d9d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>56c26b175ae23d90244805a6ec347e42</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6111ae05-51da-40cb-bcd7-8c7309c7cc6c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ba773e1608198cf8337c5902d7930710</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-459a8ca3-5f37-4170-a310-b2edf02364cb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>065e63afdfa539727f63af7530b22d2f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7ef04110-a2d2-41d9-918d-64e6a57f404e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bebbbc50a561681f48d174d6b7c2824e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0e37846c-82ac-4a10-b13e-f38868432948"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bb286e9969ca197b461286b679c0886e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4ae2a86e-d5b1-4216-be43-cebb94582e3d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e32ab6a2eac5bd1cddd3146d1a1348b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9968a740-8e3f-4cce-a36b-0d4bf4fc61c0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>251c817f4144264c3e7a9dac03071daf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7ef2f6ae-079b-4726-a5ac-e55552afbf7e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3441cbdf8de9472c19b021b241429b22</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a99a13ad-6ffb-4307-bdef-62b7867ce6ba"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2fccaa39533de02490b1c6395878dd79</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7fcc9f01-571e-48cf-b9c9-ad1cfab31df1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2cdbeebcf4e0b6dbd24b8c7b4cd6d862</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b869caca-0e0a-4f03-b5ab-7cc08a1b652b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9a58cc73e103fd5a14ef3564e35c03df</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cde9b415-e358-488e-aa21-aff40ac98d23"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>eca18e3872fd32f17410167871fbd1d2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1034f34d-94f4-4d2b-934a-1de2c16f1eec"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>76ba06bac23a2c445cb982bf38b82199</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-730cc249-816f-4f97-ad2c-2d9e32225093"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cca290cd2abe96392378b71e9835ce06</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5b8ece81-1cda-40bc-a5b8-3336ecdc50c1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>648ce1c45927b24563dd8361a1b74311</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8e8bf688-5355-4612-99c9-466a1c697bba"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e22f2e9ee73ab8b12ee5069f7e39a615</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-908c651a-c3b4-40c6-a14a-3ff89bedc201"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7ab86c938b960dfc0c4ffbadd4163666</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-847065ca-076b-4f2d-bf5a-52d635ab2fff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0829207a8400e2814990f79fbdfe7f4d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-02ef1c30-77f2-40d2-a230-05d5a3d50cd5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>98bddd6c789a883afa1de3524bb8ea8e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-25b1e82b-e775-40b3-8a45-eb741eab7d11"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d776379bda9fdf695d6a54db8a5b4c72</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-44c50c55-da30-4a8f-81d5-2ca4452ed8ca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7253de652a025b2b4fa7b02e97a1ee6b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fa7824d9-a3b6-4538-bc52-a41e71b67e2d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9df30198f52b16925db1e3da61cfc754</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-60a8b2c7-e984-4f65-83b3-6e8bb0e4f8f3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a70aaf335f7f1a04c7fe194602b11c14</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9be368c-5105-494c-9a9f-bbd8527bd878"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cd6c1dbf08d8864b382678284ef13358</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ef26adb1-8229-4857-834d-2fd0aed4bd61"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>177e0270f25a901c216ffb2e7a36e5b1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d6a606bd-9931-451b-941b-377d55775735"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0141955eb5b90ce25b506757ce151275</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-19bc2607-f1d1-42d8-a417-0b88981ce9a1"> <cybox:Object> <cybox:Properties xsi:type="ProcessObj:ProcessObjectType"> <ProcessObj:Name condition="Contains">updatasched.exe</ProcessObj:Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-78b46b61-44bb-430a-b671-75a0752af73a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">Temp\Updatasched.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-34777547-62c7-4ab3-bc13-4dba65ca64e6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>tcplink.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0a7c6848-cf7c-43da-944a-c3459fe4f3c2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>httpslink.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ec005879-15d0-404b-b5b2-672f778a9720"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Temfoe367[1].htm</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ea5a605d-135f-4958-872b-c918d7a0fe60"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>h1.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c56cb637-df95-4ca1-8331-62e374681f49"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>tc443.bin</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3a2ff9fb-d71a-4f01-936e-5388efefb515"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>tc443.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4c06b740-9ff8-49dd-bcc6-32433941411e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>new80.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ac8c800a-7cb6-42d5-aa4e-2e204219f921"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>setup.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4b800446-1f51-4901-8207-f4a765d7e824"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>adosetup.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-46468ab0-0868-4482-8ab2-cc2e9d717a8d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c6ee05b2-f173-4ebe-be00-dd30b192d70d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1596173d-f923-4e7e-89c9-f2268cd0e4ee"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>32768</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8392cd46-7c5f-4079-b846-486b4c4d0230"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>50176</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-403ff3cf-f214-4f80-88b5-f3acf6db91f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>50689</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ce3f781-0276-464a-a738-f2d5b2f4b3ff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>51200</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5dd9011a-4b8e-436c-81b0-c763c6e829f1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>52224</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ed8eb5dd-6688-4b7d-82cc-7ee23228fd61"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>53248</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fc92a5be-9efb-4e97-b346-cfc41694fd47"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>53249</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f17dc1b-dc37-4347-814f-743b693de027"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>53608</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8ddadd0e-7f42-479b-9302-a3242ef06384"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>53760</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6a51dbc6-2057-4937-9bda-b59a7b75f055"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>53761</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fc9d13f8-2b83-46f0-93e4-4723602ae018"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>54272</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-afc4e166-2691-402a-bc5c-dc42c3d6b8f1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>54784</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1962f1db-579e-4c59-8f3d-542773d94685"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-01-15T03:30:11Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-66f036a9-7356-49ca-b6f0-704df83fa1d8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-09-03T02:56:32Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e46f8aa4-a6ea-4257-a62d-60cfbd9022db"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-22T12:59:55Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b75540ac-8276-44cf-a3fe-1da07b7bda18"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-05-16T01:19:31Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f5dcb7e-02f5-47dc-8d06-8c502e0d0406"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-10T01:36:32Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fbe2d37c-af39-4317-b873-41af01884128"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-14T03:38:58Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1c9cedb-d74c-4e26-8a39-c23acf1964ea"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-14T03:40:49Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e4dde78b-599f-4f4d-9b9b-4516dac8e9ae"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-24T07:22:12Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-be04e251-82c5-4a90-9595-05502e582e13"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-09-22T09:11:41Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-08b62b93-be74-4584-9685-3c101322f569"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-09-22T09:15:45Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-59beae91-c2ad-4af2-b5b0-116528e7a41f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-10T00:20:22Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-08742793-fe7c-45fb-97cf-80e84d63551e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-10T14:16:57Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3a0f2fe3-e881-4da3-a161-ffdd3ca0994f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-31T03:15:21Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9a6d698b-8794-41e7-a607-ee1ff3ab4834"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-03T02:43:11Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f24539e2-dade-4bb8-9d8d-f11da6eafde4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-03T03:38:17Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e1f6f860-28a1-4f0b-82e1-b2dcf3e70a85"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-04T06:41:46Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-37b36018-0778-4cf6-b16c-7c5c47c030a9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-04T06:50:05Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2378a653-b5fd-46bb-b242-f945ed89d293"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-04T07:15:01Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-334ac7e0-1702-4cbd-a994-8709862b7b69"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-04T08:12:26Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ea32adaf-4049-4a91-a41a-a87884304724"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-04T08:47:56Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c4f3cffa-9df6-40d7-ace8-f9d1d8ba6ea7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-04T09:38:23Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-99178fe8-bfad-46da-a4b5-8c48945fe9d3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-12-09T19:29:48Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b7107552-865c-4ed2-98c6-098c1dab40a9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-12-30T18:48:59Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6f49e9fa-76d0-414b-ab9d-39134e6a0390"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-01-09T19:15:34Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a25dc81-851e-4eb0-8abe-45d8358ab2bb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-02-09T16:42:08Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-397a7b49-bb8e-4f1d-8184-83ac9d207398"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-30T23:59:47Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-38822ca2-da3c-4227-98d4-99f6e5ff0ecb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b631a3d832f7c22c26554711188f59c3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9d06abfc-7aa5-47de-94bd-6e7eed8b3e6f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>468ff2c12cffc7e5b2fe0ee6bb3b239e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c6e06654-0679-41f6-a20e-ffbbbd7a1f16"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>24f1b8266f4faf550999581bf0edac83</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-248ed2af-7364-4aa6-b538-2aa921ce7853"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cb3c5c3f53ecb2cb656fb0f4b8de03f6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-21d16b13-0d58-49f0-b428-be6c85a0aab0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bf9aeefc53d97bb23d35d47986504cef</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-88f98414-fac5-4f39-ad01-4b53142fce0a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>25f240aed433c4ea52ccdb898e43756f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fee95377-eb3f-4430-aa6e-7e2c8595e0f5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a510d0c9b7930abaa7aa6b0ac294e675</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e33113ac-7c7e-4018-ba18-ae2f2bada74f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1e48f6ba839d2c4794e23c10e5c4c138</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5f00eab4-7366-4e1c-9aa5-a4038ff5d922"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>727a6800991eead454e53e8af164a99c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b36e365-2e22-42a0-991a-b301bcd20167"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a807ad465b2fe5859c85626e97eaf907</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bc4afa08-94a9-4396-b400-a5c4e48a690f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8e8622c393d7e832d39e620ead5d3b49</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ab35a0d7-912c-450f-a408-10edba70b5a2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ef8e0fb20e7228c7492ccdc59d87c690</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f70884aa-cefb-4118-b78a-ee530bb8b294"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>07ae235391f7b290ea3a35067239a290</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4e11eed7-9abd-4d35-8444-16f8b63aafaa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>10a38dd9598cc31efe664cfaa8f37bf1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c39460ba-79a3-4b47-b982-08979b03ac34"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>df4da15796910690b05e393561b86fa1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0994c45a-1b81-4005-bf3f-2ce62953f5ad"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7d25a80fe2c42368adaea5fcbab866b6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f1e2829e-a167-4def-ac7d-9e6376bb8955"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1809c3cc93332d7bc0799238519a2938</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-551ab1c8-62fd-48fa-9123-36c80aa8d42f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>db05df0498b59b42a8e493cf3c10c578</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6a94f445-c25d-465a-ba30-ee38f2c7da9b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>abcaf816de63c632ec23d6bda3f02bb5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e4e373d5-4db3-47fe-9bdd-f39df988efe8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4c6bddcca2695d6202df38708e14fc7e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-86ce26a5-3591-4cb9-b59a-824f50c23e73"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f0bab119faa296c680a10ba81693915e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-eb4a8a89-d8dc-415d-a71c-367ca9e73665"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1baa7f5813e259c6346d1b02a1370d75</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ace22436-43cb-438e-981d-e3aaa5e769a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>698fbe7ed1ddd7f5c76b86fad3f7a485</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5823e4c-44e5-4ac4-af09-cabc298dc45e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6ebbfa603aa4e90148ad0b726806c359</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-35be0a1d-546d-4caa-abaa-f865e7cb7ca1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>81ce61ed2dc567ce70589386563890ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8dd03e58-b079-4e33-87e9-2d173383601c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e1b6940985a23e5639450f8391820655</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2862b907-8108-45c2-96e8-5c67459fd3c3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bd402e910e03b70f00685d8b8be5093c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ca0f64b1-91ed-4ee1-89f7-7a24ab485cd2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>35008d12dfa47447112495f430e4aefe</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f52198ec-5b13-4898-8171-119098c6c52e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c65617a4eedb8e0369ef8fe58ce20a02</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b125df15-52a2-4e2d-bc85-8e968f829b1d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d74b169e98dd16d0f3af0dc770dffac0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-29903d16-d5f1-408a-8d21-e76a6a4a8bf1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bd8b082b7711bc980252f988bb0ca936</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-67a6269e-6339-41af-ab77-6f9376989bb7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b3defdbd173738d44137f88a571647e1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8353402f-e63a-414e-9ab9-7e86bc6a780f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f4f8067d501bfef385274912d2a833b5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3bfba55a-068d-4349-9451-b234bffc7752"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fae77798-ac64-4a36-b045-e502e7d0907c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>rasauto16.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-18cafb49-fcb7-42a3-ac49-114471d6b60e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>AppMgmt32.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4605d882-3903-4bc1-a435-54afb15ab622"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>rasauto32.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-88f71b56-0790-4c08-816a-a47899b19482"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2214462b-7913-4b2d-abaa-1e14f74648ce"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-65db8863-394f-45b0-895a-f19d82aba765"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>UnServiceInstall</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3c3c3dbf-ef47-44cb-a0c3-94e86cb46a0c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Nwsapagent.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-787c0145-fc03-49cf-93eb-243b13b48a0a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>irmon32.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0fb08469-f6f1-4c66-bc67-31c76b0aedeb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svc.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-063a8a6d-1c5f-4983-9dd6-789073a28d67"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ctfmon.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-45f8cb0e-7cad-454a-99f7-b5f40436f434"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Update.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ab0dccc5-2ab2-4a0f-815b-90e8c29f64dc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e2170e8e-0437-47cf-aac5-1fd90bdeb953"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>WINLOGON.EXE</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-beebab22-445f-4d29-bd65-98847863c5c0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bf2c5c0f-2416-469a-abd8-d5168ce018b9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-35b9f095-5f44-4686-a19d-1f5ec89825e8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-49065513-2cbe-4139-8f2f-522859593006"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>102912</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5cd2c03-bf5a-4d91-a2d5-9425564c7ad0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>598528</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-24f98694-f3b6-48f0-b57e-f04c3c394b5e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>642048</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-93a582c6-5653-44fd-85d2-840a546a9c1e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>645632</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-08b90e51-8472-48f8-bf2a-8c5b01a811a0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>647168</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-618986ce-43a1-4f77-a639-f6812b90d059"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>647680</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4b2254df-ca35-47b7-a1d6-e445d2d3983a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>668672</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-24d450aa-0ed1-423c-8b04-f7354ececee2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>725504</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3de7fcdd-2468-4fc1-849c-19422b0fb610"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>754176</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7df638f2-2b8f-42cd-8302-87f1015b59af"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>762880</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c888b9dc-cd7f-466b-8e57-a61d3b9b973e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>764416</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e6234ce-83d1-4d60-a5e9-013cdd61e3db"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>769024</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b43f1e82-aa52-4c9a-913c-de8f16a355b8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>769040</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ec6dce46-94ef-4960-95d8-ac52fd27f0c4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>778120</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e21bb7d2-fd72-4e9f-889f-3d77034ae2a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>779264</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-793c3646-6a5b-4bf4-8988-1229253dd0ae"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-08-03T09:30:49Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3f9a64d4-b613-4e74-8663-dc926488f9bf"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-12-08T02:58:21Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3d1e2fca-0041-4e36-89b3-7e72109a341b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-02-03T08:22:33Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a6d215a3-c982-470d-955f-a46809f11be4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-02-09T08:29:43Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-30e82aa9-a0d5-469f-88a5-14b1106f15b9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-04-20T03:39:27Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a261b463-e03d-405c-9260-6cd5de908afb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-05-25T02:50:41Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-242ea7d1-556b-4a56-ae9e-944b933fc3c0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-06-22T14:06:54Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3f6ecafc-9fc9-437a-9edb-d9d1b0d7b23c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-10-24T13:19:49Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-99c32c9c-63c1-490f-9547-c10c2d2d8e46"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-10-25T07:31:08Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-facc86c9-b8bf-4440-aed7-37d672b86e85"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-10-25T09:51:31Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a0a57eb6-d65b-49e1-9335-bfd351967120"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-18T12:26:06Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c23e845f-0bc4-4c46-a5bf-918ba7e1d89d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-12-17T03:39:52Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-80a250a7-45f0-4906-8d3d-07740940cde3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-01-11T03:22:02Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bbb0c823-f06d-40e6-adfb-f7777daaaf65"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-19T09:16:10Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-730da6e4-d34c-4bfd-9737-eed179ad750f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-19T09:19:09Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-caca04e0-13a4-4da0-a13d-32bb8f0f5886"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-07T14:59:20Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5f4875f-bd83-4f49-8f91-a35c9f37d078"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-21f4ecd5-0708-41d2-ab8e-584ccf623aab"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="DoesNotEqual">rasauto.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2d2ac7c3-8b41-4ae4-b423-aa23f82f08da"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="DoesNotContain">System Volume Information</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-61a178f2-df41-4921-83ae-a0dff5d58a03"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Digital_Signature signature_verified="false"/> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a4f42eea-f620-43bc-bf44-1124dfbf725a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-35026c99-16ff-4f99-9e10-d711c69b46e4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-88212ea8-b9c0-436e-bcdf-bf0559c16570"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b266e711-b366-4beb-ac83-7e664f1da2fb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="DoesNotEqual">mc_dll.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3bbbe3e2-7eda-44f1-b673-218d8fa55d3a"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Service_Name condition="DoesNotEqual">rasauto</WinServiceObj:Service_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2db75f0e-3170-4717-88dd-8448d6e3d8ee"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Description_List> <WinServiceObj:Description>Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.</WinServiceObj:Description> </WinServiceObj:Description_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e74c0a3f-fce3-4866-aa0b-b94692611fbe"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Name>dwLowDateTime</WinRegistryKeyObj:Name> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-43ad4215-c7a6-47c4-882e-1bee62dce3ea"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Name>dwHighDateTime</WinRegistryKeyObj:Name> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1c29f192-3c04-4460-aeda-eba1d2eae6c1"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Microsoft\Time</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>SOFTWARE</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-38fae862-37c4-4477-94dd-7ca59e25b702"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Time</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>SOFTWARE</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f6077161-29f9-49ef-b1a4-069cc33a5e36"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">uinux</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>SOFTWARE</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6e52337f-5ba6-44fd-a718-62c7cfa21ad5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="DoesNotContain">cmd.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5f12020-699e-43e9-b6c1-28da1e548ba2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="DoesNotContain">System Volume Information</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-78463e6d-3b49-4c81-b2de-7c1e77ef59d1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Type>Executable</WinExecutableFileObj:Type> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28f31a01-8a90-4275-ab21-d7f62f100f02"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aa13179f-7b1e-42c7-b912-0fcbb536904e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-72fa8a43-78fa-458a-928a-d98a15b679ce"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c2bc3a01-41b1-4324-b590-557d520c679e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2501d25c-ae2c-459b-85ad-029eeae0b993"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>mdm.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9351f32d-0b46-4ec7-b65c-6ac7df141582"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ati.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-88e8261b-0f4c-4736-a653-e752453546d9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5599fa3d-945a-4bf8-bef2-68fbc7c205be"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-402db31f-c82c-443f-9d3a-a797e77ffd10"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-10c51bbc-aab0-4143-8fb0-91b27a2688e9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2cd52238-d7d3-408a-ba09-a63a95ae160e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1ce4605e771a04e375e0d1083f183e8e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0b7a4f20-da90-4af7-8f9d-7c0c44e889c9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ba0c4d3dbf07d407211b5828405a9b91</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a616730f-e5e6-4978-afc5-cf787245c676"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>55fb1409170c91740359d1d96364f17b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f8242e9c-fd45-4f9e-bb97-f46b70f9bdef"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>36c0d3f109aede4d76b05431f8a64f9e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-73b8ab0a-ee16-4f76-8e25-bf5c03d24ed9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2bdc196cdac4478ae325c94bab433732</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e8b51a63-4891-45e3-9d89-f41659e80034"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e54ce5f0112c9fdfe86db17e85a5e2c5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-05135d31-a7a2-48f5-a611-78659f78fed1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e83f60fb0e0396ea309faf0aed64e53f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-18ca68c7-0226-4e7e-a390-cfea1954abe1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-02-05T07:14:01Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b4835458-5f6d-43c1-871f-3ee59a1dfa74"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>17408</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aba45806-0d84-43e9-a0a5-4dc2cfb8d1de"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>20480</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-68c33374-5541-4c3f-9504-35688581fba7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>reader_sl.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f34f5cc3-6bf6-42c6-9717-3b1534689dca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wuauclt.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c722f004-cc1e-41e4-9a42-50a91ca3ee13"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-77f453bc-6e1d-4702-87e0-bfcf737cfae2"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Type>Mutant</WinHandleObj:Type> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5523678d-401c-4b68-aadc-180bca8a43ea"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name>ADR32</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-40d39716-f0bb-4360-a1f7-4c487a544e52"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ab00b38179851c8aa3f9bc80ed7baa23</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-db0b3904-e4ce-4ba7-b78a-997dfc7294ad"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8dc3561ca52bfe40089f3ee0af7fdd9d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4e906014-3f3f-4195-a4d7-9692af02c769"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>05cc052686fbdf25fb610c1fe120195f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f68e07c1-84f1-4adb-993b-e30623d2b0a2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>76f6c7301dbf0219eae991d65804292a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-baea7191-c99c-41cb-b77a-9613e0862c4d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9691e34e-db47-43c8-a10c-9fca493c2f08"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ersvc.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ab0da8b0-a378-49b0-8988-ac306a0e300d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>7168</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-692dd347-aa8a-4c5e-ae11-992ab92c25bd"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-20T08:33:01Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-58675ee5-ecfd-4f82-8141-852229abc057"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-429aca10-0269-475e-83fc-178768f88cd1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>Mcdl</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-197c2433-0ff1-4e12-8523-552090491d32"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>ProceA</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a2fdbf8-7995-441a-95f5-3aed2db1e4ed"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name>ServiceMain</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-29888eb8-ce8e-4548-bdca-7e6bbc145a7e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-16859489-bf90-4c44-b6f1-1146258871c2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>775459afc5415984dfa2a0f533011763</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f1053374-a3b6-41c1-bbd0-e9b9e92b5a97"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>17f6602f1c507b006b9d09eedcde0096</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-516c2663-5851-4c26-aba0-46d0dc1753e2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6eb99bed5b5fcb3fdb26f37aff2c9adb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2bcaef53-b39e-4a60-8a68-bb8a187f5348"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>eb0c8b05ee6a4334f45968cf45656597</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-52374985-61b0-488c-8604-81041f214bda"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f9ed623f13481da16a97aeacdca646dc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bc9243b2-205d-4b7b-8a5d-1b2eadb493db"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a34234a27157851300d9b698f6c56d9a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f414936-b5f0-48cf-a86d-64f25490e994"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>830e5cd6d590aa65dd3e2c1a01b42259</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a6e92acd-e501-4fcf-97fa-70279caf4281"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>46817cabd6618d2126067430a78f06a3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1fce39bd-9034-48b0-9c5a-f4014b288fc6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>06598b0490133815541c5ac023623e82</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d799b3b2-65f7-475c-ac3a-2de5848bda51"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>123505024f9e5ff74cb6aa67d7fcc392</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5dcbb05-92dc-49db-a75b-30147a473fde"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>03ae71eba61af2d497e226da3954f3af</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-505a3b18-1ccb-4053-b97d-73098706731d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0b506c6dde8d07f9eeb82fd01a6f97d4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8c43952d-d204-466b-9245-afcd5aa28a78"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4a54d7878d4170c3d4e3c3606365c42c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-366e97fa-a5e0-48c1-b7e1-5b52287ee306"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d9fb6620e4402764bbf2088de02898ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-06d1a19f-dda5-47b8-85f2-7b12e29bcbb5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>61daab56e07dfa3a236d8aec9eb80545</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-62cf077f-d030-4137-aae3-09816bf2ef61"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>50a3aaaebae6cee7ecb150ac395276b9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1c28821-0670-4e5c-8c20-c66b047fb24a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>41d623c1de3b0d182c51e56b2a3f3fba</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f8125fae-93dd-4c74-90b9-a4ed878bf0a3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a1468ce16f2d17979cc1a61878c1c8c6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-82ab7c92-d254-489e-9163-1610b73fa4b5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a6725f263daf3e94adc3668751b909d0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6778068c-cbcc-425d-a972-e06417e8cfe8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b6f2f483e03b9399f055a1ba5e0713a4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a7bd981-b6ca-408b-b494-990fad2395a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8934aeed5d213fe29e858eee616a6ec7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-abc6ce39-f145-4e87-b66a-bcf43f549543"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fdef1329ae626656c8389f82c4f9ad38</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-31e7a16d-16ae-4cf9-b009-488616960e6b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a6117891e42ee7db36253b57839c8b8f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-466c38cb-fb4e-4ba7-b240-9669f18e5a69"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a2feee5e0ac3f825d4b7de7e0b95bb1f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c31874e1-7a11-4880-ab82-06d1caabc127"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4f763b07a7b8a80f1f9408e590f79532</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-40ed1d0d-d8ce-424b-a0cc-12a91e967667"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ca327bc83fbe38b3689cd1a5505dfc33</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f677abab-b01b-4fce-b816-ae445a06f3cf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2976a62c2a829a153a9b0b5f433bdc77</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1f03140b-a1ba-404d-87da-dc056f38b2c2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cb15768a3e5c86d22289dcefec56d8a2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ee46fcd4-3db7-43d9-982e-c1f355cb8a2d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>05bc8309b93676087d5fb0b58ad5e9d8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3e11f44a-a281-402e-94fa-2c5b5e11afc8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec63f49236858c85168da81c1ac7802a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-105ba0b5-98ff-4ec0-9924-8e2d9aea9ae5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6bf9083f1567edce004bd1f7c456659d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ff34011f-82fc-4724-a777-72dcb9b71669"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0c5858f293aed44ea00eb9e0019609df</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6df46401-4584-4a71-80e7-a4bfae13af47"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3107de21e480ab1f2d67725f419b28d0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dbe6656d-7fb5-4eb6-8af4-55090729346d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ce003a75c85627cbc7e6eb39beff0722</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4922ceda-a600-4d77-b0fb-da22546dfbf1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0e5cade4-6142-45f8-9352-e6b2135ef855"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>toobu.ini</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9c48ccf0-88cb-4deb-b6c9-6bcbd9b5cfce"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name condition="Contains">pipe\ssnp</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-27f96c28-2b32-4fde-a6fc-83c70c8cb85f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b659bc12-8ce3-4bb4-b860-ff1ac8481f1b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>cb.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-06f2180a-cd95-4b07-a11f-1505119796ce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ccapp.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3dfadc75-39ee-4caa-bf0f-419bc2cba91e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>CONIME.EXE</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f3c9762-9c28-4c44-a5a1-100451d94db8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ccapp1.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d900959c-d0a2-4b9e-bd52-dc37a15b0384"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>igfxpers.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-458e871a-f71f-4951-9913-6ddd05d05187"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>1.jpg</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-09378fd1-d8c0-4776-979b-5bd9edf3c4ee"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Reader_sl.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-037141d8-7bf5-49f6-bcbb-593c95a93afa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>adobeupdater.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6bc51ce5-9ffc-45c4-9ace-434e971d01af"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>hkcm.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4b572912-d252-459a-a96b-c3831577f5a1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Launcher.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-664d4ff1-4b8b-4b8a-b1e2-984468b91124"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>taskhost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9f5122c-69f7-476c-92c8-98f938680b24"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>apoint.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c4a48724-3122-4808-9d81-5aec50f4f353"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>igfxper.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e6f1a8e1-9e63-4b79-adce-632afe00b852"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>MFEVPS.EXE</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-be895f16-33ac-43bd-bf12-27ec9bf99bce"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>QTTask.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b21afd11-b416-44b4-abb9-c23227c3849d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c21d3cf-36df-4aad-aadd-025251e3afc5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-30d502b3-8ff5-4b49-b914-41cfdeb3e33d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>174116</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bda0241d-f41b-4732-87eb-212ee38f4d4c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>182820</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b33d4d1a-36fb-4a78-b30b-c90144b27fff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>190500</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-47c15c0a-2e85-4a51-9cd7-8e5c7e090c13"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes condition="InclusiveBetween">191000##comma##191700</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-88c052a4-aeca-4bbe-910f-4a4e985b19c1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes condition="InclusiveBetween">192000##comma##192700</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9fdf7436-dcfc-44e6-9682-ede1a904a8d6"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-19T01:22:35Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9f8e1195-cfd8-4758-a0ab-0662f8a25153"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-19T01:22:45Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9efb7d6a-9e86-4e8a-a7fa-3506bddcb11f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-15T11:11:50Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cec0f07a-1b8a-4808-a01a-30831ec6f1b9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-12-08T00:52:06Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0afb9eab-d49c-4d0e-a92c-22c3c2fe68fd"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-12-12T03:28:15Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1805fcba-aa2c-4ba3-8af3-799ef76ef233"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-12T08:19:34Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e673611e-0a91-4ee6-b1f2-e050786b86b1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp condition="InclusiveBetween">2012-03-16T09:00:00Z##comma##2012-03-16T10:00:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8f20a71d-fdc8-4c62-8653-2d5a47b47538"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-19T13:43:05Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-860cd4de-858f-4377-a0f1-5547528449b2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-20T09:24:33Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1cee7fc-1445-4b83-aa8a-a4fe201242be"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-03-22T08:45:38Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fe64f26b-93c6-47d5-b07c-53e80dda5d71"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp condition="InclusiveBetween">2012-03-29T03:00:00Z##comma##2012-03-29T16:00:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f2291c9a-18a2-462e-bce3-647ec6553c33"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-17T02:43:28Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ddfdb883-32b5-4291-a2c8-a56f4591d23c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-29T14:39:47Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-741c5c64-4c0d-4a88-9094-dc0fbeb83b52"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-07-25T15:01:13Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-25aec029-7e15-4c9c-8292-cea5e05b811d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-08-01T04:03:07Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cc257cdc-fdfe-45ba-b86a-14ebf3372169"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>ws2_32.dll:0073</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cd2333fb-5078-4da7-ae4d-89245496790b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>ws2_32.dll:000c</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e3cb60ae-ea22-4747-a006-713e432bcb61"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>ws2_32.dll:000b</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-635fd8ae-d31f-4df1-8150-7f05d92bf25c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>ws2_32.dll:0039</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5aeccc1-a893-433c-abb9-7614e0db2ca0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>ws2_32.dll:0034</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ce72d543-62fc-42f2-ad7f-66af65afe283"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>ws2_32.dll:006f</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bd4632c6-db72-43f7-b310-528a092f1c2c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>urldownloadtofilea</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a286532e-fc8e-4536-bd96-2a40f71f214c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>deleteurlcacheentry</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fbebb317-e18c-4200-b0bd-2053a37a05f5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>httpaddrequestheadersa</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9d09ab31-9629-4ee8-ba2d-95a4005c36f7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>internetwritefile</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8a8f3581-1eb8-4ccf-a10b-08713124835c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>internetreadfile</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3a7a07d-0cc9-4283-92b7-18fd91ea48ee"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>httpsendrequesta</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fd7efdda-4cc9-472d-b5c9-d1630c9699ee"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>lookupaccountsida</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bea2fd16-a0c1-4172-bfd1-d9eb4ac5bfce"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>gettokeninformation</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a1efd44-7c2c-465f-bcc3-683cbce315fa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>createprocessa</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-afa87e92-cfe2-42b9-9287-e5c555a4252c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>peeknamedpipe</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a548aa9a-a6d2-40bf-9f59-7757252a18d5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>createpipe</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bfbb6695-1a79-45d8-963a-4b586550f7c8"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>connectnamedpipe</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9193beaa-8f85-4dc9-aac8-530a8fa438d0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>disconnectnamedpipe</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-59a72444-46ab-4760-847f-a88b883079c5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2c1d1562-23b0-48fe-89db-70d82bb6eaa0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-93ad3a5e-5c01-44c8-b126-e3aa33fe9b50"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1fed046-0101-4913-bdaf-14b9bc0a18c0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4788960e489197f2633f581607eb0d26</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-18371776-be36-4164-9809-dca4f6e2c54d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2ef062fa86537db34f5907a9775664a1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-127e0155-59b1-4b54-b0df-b67ed488ef43"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2e86a9862257a0cf723ceef3868a1a12</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b249bc1e-558b-49a1-bcd1-38fc1192184b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>exploie.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dff39bfc-3520-4194-aed5-d7d8b11da95c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>r.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4b8894ae-6f5c-44a2-8f3a-4d7f377e58df"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Browser.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a4f7fb70-3852-4bda-86d7-9db0762ed860"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0e2cf034-f439-4f8f-bd26-67cd8b6924a7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="Contains">bits.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-40442ba4-c8d9-4f56-a6d4-02f9a9eb759a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>378880</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-47632f04-cf80-4a3a-9be3-49c51737e3a6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>40960</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ff91f6cd-9224-4140-b63d-725395bc302e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>536576</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-79d239c8-9a87-425b-b1e3-885478cb491b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-03-15T06:26:41Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2918bf8e-de76-4c40-8223-b3bf5d23c015"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-16T01:08:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c36388b0-1c9d-4b3b-a214-1e834424e038"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-28T09:23:35Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-88c41ccf-ba5a-4481-8734-846a2fca9bfc"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Resources> <WinExecutableFileObj:Resource> <WinExecutableFileObj:Type>Other</WinExecutableFileObj:Type> </WinExecutableFileObj:Resource> </WinExecutableFileObj:Resources> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dba8c03c-9da0-46d4-a96a-0a29688f0209"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Resources> <WinExecutableFileObj:Resource> <WinExecutableFileObj:Type>Other</WinExecutableFileObj:Type> </WinExecutableFileObj:Resource> </WinExecutableFileObj:Resources> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c5b93855-5f9d-4975-b2a8-12434713e2ad"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Resources> <WinExecutableFileObj:Resource> <WinExecutableFileObj:Type>Other</WinExecutableFileObj:Type> </WinExecutableFileObj:Resource> </WinExecutableFileObj:Resources> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bf64add6-84fa-4a61-a5a2-7ee57b93ab9d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9b6f7ee3-75b9-4435-80c5-fd3f391c9517"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-16e5ee37-c58b-434c-81f5-b005f925cfe4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b43b3b1a-3b9d-4465-a8b2-0b5359c82349"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-778bb896-fd5b-4295-9a2e-261da6d7afcf"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a305bcbd-6530-4eb0-ab76-617b0d6f3ff4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e327513f-e356-4eb4-afbf-e083252cdf76"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cb3bd9c5-6c66-4dc2-8b83-6a39397453c4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-99f56bf0-7902-4e5b-8b41-768a5dfd2b96"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="DoesNotEqual">firefox.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1675c825-73c8-4ee5-962f-0911c5716311"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="DoesNotContain">System Volume Information</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-55c75143-4726-4a55-b7b0-4bdaa6a5234c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ac300d9-0910-4af2-9aab-8fdbb03a2338"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1309e5fc-7e4c-4534-a3b7-654a3a79b755"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-44ddd4b4-88f2-435c-95b9-f0f1d774820d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8a67f354-3481-40ee-b535-17e89368cedc"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b5984919-de73-4b2e-8044-c0faf89cd84c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bfe936f9-c6f7-415e-a773-e2aa7cfeb67b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8411b4d0-4ca9-433a-a228-ffc55021b8a6"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cb224b30-fe35-45a3-9d61-2c47447faefd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="DoesNotEqual">explorer.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-79b250fb-f337-4fe4-a1fd-0f14db527123"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="DoesNotContain">System Volume Information</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dce5008b-b485-4a58-bbee-01b83de1a67f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a4143ade719c2222d8602819a3e212ae</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-88aabd0a-db00-458e-b465-2338d382b4db"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea3155748f9788b741b6799691250579</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-43bffb9e-802b-42b0-8aec-93e785a90b0a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9ea3c16194ce354c244c1b74c46cd92e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-76cca676-a146-452d-9d1b-75aa4f16d973"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ca6fe7a1315af5afeac2961460a80569</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-12b8eecb-ea79-4762-a8b2-55daa5d84cb9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1f2eb7b090018d975e6d9b40868c94ca</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b3d360f-e462-4b05-934f-48837101f16e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ae1dda87cc5998de79ecb68527bbd191</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e829d5aa-4c8a-4993-8418-f7b26962eb9b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2ba0d0083976a5c1e3315413cdcffcd2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0589fdff-fa2f-47ca-af83-408d25e2bfc3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cc0b9bf4ea738d63f06bfe411460412b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-703f60a3-3734-42db-9e5b-f25a390834f3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ab445da3ee4e81a84d644476f669d35c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3dffcf7e-4b32-4fab-8720-3d4ca21e8676"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>411d770b2939e968c692dbdd3116e179</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-da151c43-42bc-400a-95cb-a4794e40ea72"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>65018cd542145a3792ba09985734c12a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ccee62c8-935e-49b1-b0f5-a68ea17afa36"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>df5c89d49ef8997c9b5abd8f808298c8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-83d97026-3661-4ce7-8573-b9f13087aeae"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2a84b88c4a2ce0fb6227f7990f465737</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dcf4fafc-8b52-419a-a869-2dc3881b57dd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8442ae37b91f279a9f06de4c60b286a3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9964cd0-9159-4154-ad12-6ea8b82b1919"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>531a3b0acd95f55c3a7418d31f741357</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0113078d-92fe-4021-b8ea-b2b2e6d0927d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>650a6fca433ee243391e4b4c11f09438</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-71b716af-666c-4cc7-8fce-414087ce13a8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>08d7679a9c806a2f7d2be26fe9b425ee</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1efc4f2d-b353-4948-9853-f4af01dba154"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d1a18c7de189170c588e7128ec3f8453</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7c788a3c-9802-4ace-b74a-872fa6ce475d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>34cebbb4d35a66a7a7fb1ce857c195c9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e7f6fa54-6551-4051-b6fc-1b99965c7283"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8b75bcbff174c25a0161f30758509a44</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-05a23b2f-632d-4638-9fd7-129c22b72d59"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7be6c90facbfe9ecf470fb27e6673fbc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c4d55888-aace-43e6-963b-6bff9527651a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>00f24328b282b28bc39960d55603e380</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6b69e8d9-e8c9-4641-a741-0aecd4797889"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>494fca685834f3158d133f6b09cbb507</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9511e823-4a36-4c98-b969-be8a18cafd33"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b07322743778b5868475dbe66eedac4f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c7d207b0-efe6-4d1f-91de-6a5ad84c01dd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>61e0da42d5d084af24d31fbcef4ff409</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ec6f2fac-7da0-4088-97b3-df78073105c6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e65db662e449cab03a6c1ac51af41360</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-aef9eaf5-5c3a-4ee2-ab74-e968ec5fee67"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5a032c13942a46c5ae015f53d9ce138a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-81c8c916-9b1c-4865-b053-8797b7635536"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d20f0fbd001fd30610c3317fd3c6f7c0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b0d74e94-4cc5-4412-b283-b7d8a3fd770f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>caf33d1e15953c0e782846e1709498f6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-03be0c70-71fd-41e9-a135-4c66c86ec25a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>49bacedcd18f6d8929d43a10dae8645f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ed751c87-1202-4748-a09a-603e916a7a5c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f6655e39465c2ff5b016980d918ea028</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5706f486-870e-4086-abd3-b84d174d8a1e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec8aa67b05407c01094184c33d2b5a44</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-93303fa1-7cc5-4a8a-95af-a14825b30a88"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>35b9f05cf70017cc485af87660109dc8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a88f262e-2aa9-42d4-b2be-ec4a9c4dcc08"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3d6fe3928f2f5ce41622f3f958b894a0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-58874411-5b95-4f6b-baf8-43a6e943dcf8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>125ebbc6f0c957ee994fcef1431a93f4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d74f5f2f-9c51-4a2b-98f0-43a3b4bb817b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6576c196385407b0f7f4b1b537d88983</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-151a2b1c-fa5a-4bfb-a9e8-ffedc0ef2000"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7a2eba5ca6f9b2cec61c5cc55dfca762</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9cfa772-ac67-4c2d-bf17-06beca62c4fc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>33de5067a433a6ec5c328067dc18ec37</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-db60fa94-e63b-40de-b85b-639864d09dff"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d9fbf759f527af373e34673dc3aca462</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-79c8a3d0-5ada-46d0-b5fa-72b2660e5ed2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>30b3b17eab05ecffaa055b5091aa66f9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7c3f3c05-6d69-4f05-973b-b05494fb4192"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>785003a405bc7a4ebcbb21ddb757bf3f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e77fc63-2844-4bea-a5cc-b013c9c57407"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>eb61cedc9793226a66e4611e6ea25d7f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f707fc35-11ea-4a05-9927-06fdae66cc07"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>85c4081a97255ac7ca7d0d5554e86ec1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f870d41-c381-4d63-a902-b09eddbb085c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fab7c555a511f4d4e318817455bbb75a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a0df406-816b-4fc7-867e-8157ecfe3678"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>19fc27aeb48b3ce8d00eb2e76dfe2837</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-562438f7-d03e-4c4b-afdb-42f3473ebc5a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cfe738fcc07b9ece6a11c3390d43b5df</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-83815990-8092-4378-b6c8-ff4ff3160270"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c0a33a1b472a8c16123fd696a5ce5ebb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28cf1fc8-985c-4f47-9dd8-7eade45c828b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a316d5aeca269ca865077e7fff356e7d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-64eefec1-35b8-4c4e-b03a-7f402c29cfdd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>89a2802e2f2356ce6a757f833c3ba3ef</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4260d6a6-142b-485c-a37e-1c7a5f1880de"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dc059121677ec7a038589cda28cbcc49</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a137962b-044e-4d96-8284-2fb874a04cfc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6faa4740f99408d4d2dddd0b09bbdefd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1d244eab-ddb9-463a-8c8f-2644ff8146ad"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>99a39866a657a10949fcb6d634bb30d5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-717002c1-0b9b-4d89-8e04-827366b6b37f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a14e8df8bc55f7459d24fe526f51a16d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-60ef246f-98e4-42c4-acca-9d6aac19191a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f8437e44748d2c3fcf84019766f4e6dc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-061044d6-d7b0-43ff-9ea8-59090632acc0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4e3ddb5c27e45ee0e6dcc02e87b0abb5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9af2cd7-31ec-4e35-9ae8-7b72eff0eabb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2dd892986b2249b5214639ecc8ac0223</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1be3d9c2-ee2a-4676-9888-dfdeabf873a0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>smisvr.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f4a65b7d-10f3-4d34-8f71-d299c6c29982"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cb8b0594-8172-4c37-865e-0ab50c4dd62d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>spoolsvr.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-97b1b8cd-599f-4a30-96f7-84d99e396cf6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>winpsvc.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-903d7906-89ed-4012-a3a0-8b4ddf733ab0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update3D.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-147278d9-ae6b-4aa5-b0c3-5e20e3cbc4e3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update7E.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b84fb79f-c77b-4cc7-8475-f6a2d59f5c5a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>servicve.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-29a89dcc-339e-48ce-8fdf-6f22bc0a0108"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>mssvc.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-36e0857a-c6b2-45d5-a173-1d32bcd262c1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Net3.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-155af31e-9ec5-47f7-ad27-5a2b625f37db"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>UPD115.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f4439817-1af8-49b6-bf7a-eb75387fc857"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>dfvmgr.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dfba1358-e5b8-41fd-9408-6f345eb77dd3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update1.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6236ca54-b8ce-4be3-8347-d27b5374d672"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update3F.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c4f5a77b-8c17-4c21-9506-7e129f94805d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>winps.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1ccb67ee-ab95-4f8b-80fd-15ba7b1b144a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>update23.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8ee19a2-4922-45d2-a2c5-8499e754552e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Net206.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28adbf26-fdcb-49c4-b3f5-fe7604a6c5be"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>IEupdate8080.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8b50a572-82cd-4361-a651-8e6d914ffce3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>dfhost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-090bf433-7d5b-4c39-bb67-419783ef48fd"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f77a63bd-4231-4c15-b370-b3dca152932f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>7168</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-da94f2f3-15c5-4efd-a463-55af2fe25bc3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>8192</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-53236c4b-8c5e-43b4-9b3e-1757a2c4fd53"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2007-11-18T23:50:13Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e0f1fb6e-bba9-4d0b-b773-5c6a070a11fc"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2008-02-27T21:58:42Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-291ae324-ec20-4020-851f-a0518548d4b7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-05-14T17:12:40Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8e2161e-b3f5-4c2e-80fa-8466e6edf592"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-01-15T17:20:56Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fb2aa6ff-36c5-4f92-98ea-5dfadf1ce05b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>loadstringa</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5b918ea4-eb00-4e83-b901-a8cd96ba0d69"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>malloc</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-babc3765-80bf-4439-bc94-c40e280559f4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>free</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c6a7d671-6d83-49e5-b5c1-b9bd4e1c933f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>disconnectnamedpipe</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b5f5409-b7c2-4150-8799-b34ef1f207c2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>getcurrentprocess</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b0356b4e-9d01-42a2-82aa-3e7338ddd86e"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>terminatethread</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5b965df-6640-43ef-8a74-3648850c24de"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>waitforsingleobject</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4eea9b08-e5c9-449a-915e-81957d645db5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>setevent</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-77a33407-dd06-4771-a398-eb2ec5da243a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>sleep</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-86987363-95a8-4411-ad36-af31256bde72"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>duplicatehandle</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-be35f904-765e-4e5c-a7da-619e2aac05cd"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>peeknamedpipe</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-00a0ddeb-301f-4105-9418-11d7379ddb6d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>createpipe</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1ded5ab9-9ee9-4b96-9444-2b290fa39fd3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>waitformultipleobjects</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f06e6df2-ae06-4e8e-80d3-49ab06305353"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>createprocessa</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0c395a56-6e3e-44af-8606-49e16cf27f5d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>createthread</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-27f96162-bed9-49a7-82b6-1d2b5838602b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>createeventa</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-806c5faf-ce64-4e6b-b344-5d2ddaa1b38f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>createeventa</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-05935fd3-b962-43fe-86b6-ec5c1b28eb7b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>writefile</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-35a89fcb-66aa-451c-8d3d-74bef2e70dbf"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>readfile</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f1bfa3bc-3141-4ce9-ab41-17c171acf3f4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>getcomputernamea</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-57a6b882-a041-49db-a186-cd9d6a67f2be"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>exitthread</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-85c1f565-1808-4811-ac5b-80fff6758661"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>terminateprocess</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0536e2e9-359b-4bfe-9950-fc3762dbb645"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Imports> <WinExecutableFileObj:Import> <WinExecutableFileObj:Imported_Functions> <WinExecutableFileObj:Imported_Function> <WinExecutableFileObj:Function_Name>closehandle</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Imported_Function> </WinExecutableFileObj:Imported_Functions> </WinExecutableFileObj:Import> </WinExecutableFileObj:Imports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e6f3f7ad-d18a-4e11-abc1-3d778d8e70c0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3b0dad4763f6151515d819ae04a1f0f6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ba5f0800-89ac-4ed1-9902-abd6f2744200"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>fd66b9718e650978eb0fff32b9edb377</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3747f1b4-c8a6-40be-957b-335ee4fd8bb2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4e21010805d397aa848cfe63ab0e5eb9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-179caa2f-c6d5-48b0-ba2e-cd465be83cf0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e83cc769fc5601856d26c88dcb20458b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cf009b8f-ab73-4c0d-9def-f312899c1b0a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f662c8ae9a0257e68ae52cf354ebab43</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7d1800de-8551-4507-b746-5326e1cfbcfa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cdcd3a09ee99cff9a58efea5ccbe2bed</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dc8e72fa-a85d-4127-9252-27bea678966b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6b31344b40e2af9c9ee3ba707558c14e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4b2c705a-739e-4dcc-bd75-0ae489ce9db4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">system32\sam.sav</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ea29327-7971-49f2-9efa-82ac4960b421"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">Local Settings\Temp\sam.dat</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-49beeb96-c46c-4a47-8d62-1f9e2c941cca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">Local Settings\Temp\~hhC2F~.tmp</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f62b52d9-5641-45fa-a737-c78c8b9d0ed0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\system32\netui.dll</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2729ef72-778f-4428-8fa9-280dac3d8420"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\system32\msxml0.dll</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3ffed991-d9d3-490f-8fee-a97fe9bf5970"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\~ISUN32.EXE</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8a6dcc6e-254a-4c37-97ce-863d019cb9f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\system32\ati.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f3dd3f24-d63d-47e3-bbfb-3175dd88979a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>riodrv32.sys</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0bb9b519-ad67-4149-a39e-5f08d6127517"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>~temp.pl</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dc17be00-19a1-4f1d-8951-d140c7bac393"> <cybox:Object> <cybox:Properties xsi:type="WinDriverObj:WindowsDriverObjectType"> <WinDriverObj:Driver_Name condition="Contains">riodrv32.sys</WinDriverObj:Driver_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-24ca9d19-1173-4619-a3ef-7c038af11a59"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key>Software\riodriv</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-12f50a91-cf56-4339-9745-fc021c59ac4e"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key>Software\riodriv16\TEMP</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a0e7f984-b460-4bcd-a853-1cd11b80be44"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key>Software\riodriv16\DEL</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4ef5a6ce-7bf1-45b4-80ed-dad7b63500a7"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key>Software\riodriv32\TEMP</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f4d4c51-70bb-4cd1-8b42-3610ab588151"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key>Software\riodriv32\DEL</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d0073d98-69b8-4bbf-b35c-2f1fe58683ef"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key>Software\riodriv64</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4d0dddd5-9f06-48c1-8a11-71719d0eab58"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name condition="Contains">rio32drv</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-04012e8a-dd20-4241-8b10-d169b49100a3"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name condition="Contains">rio16drv</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-56e1835d-6a31-48d0-9b16-701107b852bd"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Service_Name>rio32drv</WinServiceObj:Service_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a94dbda-22c4-4131-b2ec-e3f50bf2c1ba"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Service_Name>riodrv16</WinServiceObj:Service_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d642e377-9db3-4944-af9e-13ac7c7b76b6"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">riodrv32.sys</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ceb0314c-35c0-4f54-b777-0067d5cd8ae8"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Service_DLL condition="Contains">Nwsapagent32.dll</WinServiceObj:Service_DLL> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3cd72dd3-11b8-4f57-b2e6-d10cb333e399"> <cybox:Object> <cybox:Properties xsi:type="WinDriverObj:WindowsDriverObjectType"> <WinDriverObj:Driver_Name condition="Contains">rio16drv.sys</WinDriverObj:Driver_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a628745b-2579-4691-9b9a-affb86eda06a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Nwsapagent32.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fbffcbcf-d45d-4742-9481-baa04f1ed7e2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>netui.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bf86bf44-29de-45d0-80bd-15e34e039177"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>msxml0.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8fdbe706-8440-4da8-a274-66801df2fd41"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cc281db0-c3d6-447b-9bed-b7e2c7e04610"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ec540528-1563-476d-aaff-270fe2df5e3f"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb7618cb-7f2e-4690-80f9-4f1572af0758"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>110592</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6b9970f1-0c16-43dc-9c43-f18df719db31"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>81920</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-53fad508-e8dd-40aa-98ca-64a4bfd0811c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>94208</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-29f43d88-956a-46fc-abb9-e8861f4a8e82"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>96136</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ebbc6af0-5c1a-40a6-b78c-81089cd11efa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-06-25T00:29:11Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2cca76a1-73b6-4290-8f5e-9656bb5fe9cb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-08-04T03:35:45Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d1a5bda6-8925-4d23-96be-0893b69790b3"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-03-01T08:26:01Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-46119143-1fd1-470c-92e5-72c1883ad643"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-06T13:54:41Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-390c3c46-79bd-468d-872f-e4a2824aa022"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>17408</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2dab46a0-3ad2-4b6b-8074-56922ffdfead"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-04-28T10:00:00Z##comma##2009-04-28T16:00:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bbe6f528-ecea-41c1-a81d-beef8c258d68"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4d0d3741-1f1a-4a04-89c4-ebcf3e35450a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-70ca6c4e-cae9-4f9e-b263-e55ec702370d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a41d3d55-ef0f-4b3b-bda6-fd3ec5e08e74"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad30afb0-7d59-40b1-a4a1-72585d1f2a8d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6932ca1a-5548-47e4-991b-ec47c0b2a667"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bac524cd-cd89-4fdc-b285-f6f999fb3fd9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5cc3ed5a-17cd-4bc6-bc3d-554b92cda3b4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>898a8a43c8708961094944fb42c278ab</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ef95aa56-e653-4357-9627-99df04400546"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>07fe9f901fb4f14e16fb5d114a92b0fc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ef3492cb-db10-40bb-9898-22f7a54c4b5f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2e8484f59899046452392c236460ebb6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-85ce02c6-16ec-4927-8477-20bd38b0cdf2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9d1d58e370bea4b5e79a1f914516cbc0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1fd7932-8473-40fc-b598-dac2954be212"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0908d8b3e459551039bade50930e4c1b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2b7c7b9f-dc3d-4f92-9ef7-c4eea56b7a48"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>950234183528ce107d65b700be1bbbd3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e080662b-2364-41a2-a020-cb1b0c971e91"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a5d4ebc0285f0213e0c29d23bc410889</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a82948a5-8b29-4135-aac2-60133ea45c75"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>494637c4ac6d04bb50a681e87b81043f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9dd97cd1-a202-423e-9d4d-207e5edb8d14"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6c9c9e40683467f60b910d5bad5285ae</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d5cb1b59-03b0-45dd-9b85-75ee78f90044"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3d61d23c2be95177937aa50769c0c512</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-86c51237-c66d-48c1-a341-cf8c0d91c60a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c91eacab7655870764d13ba741aa9a73</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1e0981b5-b053-4b0a-8211-a6cf7c3b1a3f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>588c40520a3cea27d2b35cd1fa05e23f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5b2f7279-ce22-4b70-af8d-8923437849fd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6a88f170ab6cb0f9b3252adc61b4f487</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-347bfe1f-2df9-4c96-9513-2d7a3c0d74f1"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>565b6fedccab184c92e40483ea49a25f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2d2d3672-e987-4d69-b253-7d28e39629d8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>feb406ff01d9fd5abc5ea079e0543e31</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9bf6fef-3417-4a0d-94ee-7f34aa31c707"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f4bea18e9d38ab9fa7c1cf6eea2bdc79</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e10c0e2-11dd-44bc-a282-9ed6f9bb4310"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8d81eeaeb0bd74a1faab257079452078</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f6db7186-d473-41a0-812e-4d264d834fa8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ca9c1f8d709ed34d388dc7cba2bd7602</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-81ae4127-cbeb-4c91-8400-748c5127a733"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>95f25d3afc5370f5d9fd8e65c17d3599</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7f53e613-ff9b-491f-8ca9-ba55e3a4b9c3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b883f8e5a1420d1f511266b9253c11c4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4adc3ef2-d407-4a82-90e6-8dce6ca01c68"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2bd02b41817d227058522cca40acd390</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a62c6ba2-03ce-4e80-bd8a-45138fe31911"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>74b3ee9f3f6c52413db6e5c9ace34893</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-13bfb143-a945-42da-b03a-3224843729bf"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c4188c3bb6982d41aa783c499113a8e3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3c1cba50-dbda-47e1-ab8a-40960cac9d39"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2acfc925e66e1b820a67c4d0f3e6ae8c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f81d536b-7d51-4b41-bd87-21c7d4d11719"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8bf9698c18b2aa23f71444af2571a6ad</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-095f937e-ef8d-4dac-bbff-3d042e7b5151"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>34ca3fbcaac48498aeff6035b172bf69</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a3cab055-1cd0-43cc-ba82-9dd4bd105656"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6808ec6dbb23f0fa7637c108f44c5c80</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-feb4f745-5dcb-4cc4-93d2-fde7b172c5c2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bf0d5aff9c1f33e089c9c85f03c6ba8a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c87057f3-4180-4d85-9d98-e9922705fa6c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7a2692cafec377c444bc3147fc43e57f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad3076d7-7912-4eee-b9b5-450d09f9b840"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-636e4e8a-cb6a-45a5-9df1-4f20e1132f71"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-14a13876-3ab2-4227-ad8c-451dcd0519f0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b37cc63f-6502-4977-9d81-5608bc17d42d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>121.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2ce40817-edf3-4219-aa01-80471b82c2c9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>162.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d03530b4-8d5e-41fe-896f-301ca58076cc"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>download.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ddaccedf-90d7-4224-9d52-fed8d2a8082d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>igfxper.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c7dc0e9-79a6-4be8-bf71-dff9f626ec7d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>md2.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ba2b6ece-f761-4644-b707-70ff165877ec"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>mfevps.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1dd4cb8c-b1f8-494a-be6a-ca93b00743ac"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>moon.png</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cd3a79a6-d176-41d6-a785-acba8e83c52b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>nbstat.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7d00969b-768d-4df4-a890-06c7030f5223"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ntdl.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-650d994c-739c-4969-9251-49bfa8dcb102"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ntshrui.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-336be1c5-f3f2-4e47-a56e-011577a13c2b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>sap.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a57d27fb-ee5f-48e7-bc8b-eb28b72e0598"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>Slsvc.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2f5f27d2-3f7a-41ff-a21a-67ed4ad5dc2c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>win6C.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a52cb2b-9c78-4ac0-8b97-cc054a54a3f0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes condition="InclusiveBetween">145900##comma##146000</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4a510c2d-0a0a-41f9-a780-0b9a184e73b9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>149540</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9c0b99a8-1b3d-48cc-b9bf-f40feffe72cd"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>150564</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e993d0d6-61f8-4fb4-93ea-db2666d6e843"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>151588</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-80bb7921-4817-48d3-878a-6712dd7faace"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>157732</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bee37401-87df-4fe3-8bec-e38286e9b821"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes condition="InclusiveBetween">158000##comma##160400</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f928e37-08d2-46f1-a183-a3fd4818e8be"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-02-23T14:23:21Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-10b6b09a-7e45-45c3-b833-00005caf0ea9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-24T03:43:02Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9a15ea1c-c2b2-447b-9011-b1e8542433d5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-04-01T17:41:45Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-42946ae8-b28a-482f-9a84-bdde2098a5dc"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-04-13T09:22:06Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b972ea4d-c4c9-4fab-9e57-8478764f5c16"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp condition="InclusiveBetween">2011-04-20T07:00:00Z##comma##2011-04-20T14:00:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b8c093d-414f-49a9-b7dd-22b68a238726"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-04-21T07:16:51Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d19129ad-cb3e-48c5-9188-c355b342aca6"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-05-04T16:10:36Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-65772a1c-3690-451c-bafe-869944742746"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-05-11T08:39:16Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c79d6f9a-7528-4878-87e4-1d75d5d31b5c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-05-31T08:37:56Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e787f4b2-b375-4a86-a870-b1a0fe91cbe5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-02T01:41:52Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9acd4092-e331-4503-be88-5ab9f3e50d4d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-02T01:42:07Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-77cb33c7-e73f-4c38-8108-9b4f4be6e36d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-06-16T00:36:06Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-341631f1-5d80-4471-b7cb-f67e846461bf"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-07-11T03:38:22Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2a379e3d-7a56-413f-9970-9f42d095e052"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-09-22T13:52:10Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0770e7b6-6b92-40e4-812a-6ef828fbcb1c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-04-12T15:02:26Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6bf6aeb9-eb33-4691-b18b-936aa4a975fa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3abe9c84fc13d0a82c1c3e0dced5825d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a897fe63-2220-4610-8fff-9c2b9e753633"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4111fbc14558385c10091543c439264a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-79d95774-eb93-4cb6-8395-59e255966c57"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bf80dbf969b73790253f683cd723fd71</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bf0af872-a1d0-4b31-b8e8-76e092dd2ca7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>09d372e4259980ac95fdadf1846578d9</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c8f401fa-9e65-48ba-bc69-ed4ae8504c3a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f67357d9fa1c3014050f2feefd39c784</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9b4f8d5c-0177-4ce5-9d7b-bd7a1f8a8d78"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>8c9871a9eb88ffc43507f988b222dc52</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-737eed55-4f2e-4f32-b572-9f55a1b62ef6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bce4b77a4e4acc70a3f6f52ec0a2f033</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8c6ee6bc-06df-4a4c-b7da-2a57dc2b16f6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ea47431d832faff7802710dae0abb0d3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-efd06593-64ae-4d88-b977-3cd5ecbbea32"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>874bb818208655b59a8c4c1ae2aef379</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-573c0cf0-0415-4a15-be60-e8748c4d3a9d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>24fefb8b9338e2300308260be19bbaab</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28294f17-ac3d-43c6-a2f4-af2242512ab9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>15137b710414e4e8508ac5ab27e2cbaa</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8cffa685-5e94-4db6-9f01-e29c91a8ceea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>150c95865766c2dd0562e7bedb6db104</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8bdc3c7b-91ca-407f-ba57-cf2f2a947f11"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>5a3abb8053c271c58e879b3b9cf8c8f5</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-818e26cb-6b0e-405c-ad4c-b01ec519959d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>bcb087f69792b69494a3edad51a842bb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1f647d8-b328-430a-8abf-922f8c4b949b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>32c32e936cffa8ab370c7f3f2dd43d65</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9f31630c-cabb-4064-847e-2234ae0d7949"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>51326bf40da5a5357a143dd9a6e6a11c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-df6ab0ea-8768-4fab-9f72-c43aba2f85e4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ecf18654e4a2668fb8b2e3db144809af</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9d8448b5-0a94-48d2-b2ca-b7702c943c34"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f445b22897a27ac5852ee19589bea8c2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-37852a61-6c44-4f93-9796-123a8dbd500f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dd1222f96024ac28179c7508e4193285</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-cf16c3fa-9747-4d0b-9fc4-c9a49d1016f7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6767eeb485232436de9553988765fb89</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0c6a173d-ea35-4f92-9f27-1034939980b9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3f243b304358041fb163007e0c066d4a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d3dc32ba-43aa-4bb0-83bf-d67f4e284d2e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e64d657ce32118b415fa91dc05037c4c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b9b71deb-63ec-4fe1-9719-01d68ac49b67"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>db50416d9e67f4982e89e0ffb0ade6f3</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-01bd0ef0-f08b-455d-a2f5-e5685f497714"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a5b581c0600815b1112ca2fed578928b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e1347131-a9ca-468b-abd1-f70b5be73934"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>57f98d16ac439a11012860f88db21831</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c583ed8b-3f7f-4417-8fe5-e9c8905431b7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4f65bc571cdd9c9cd11e771e1db35a4c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-16ac7750-b557-46ef-8b71-0659ac8fb744"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>876ee736ebad6917a259456fc3a2f11b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e555a82f-e64e-4c77-abee-a4e5af8e4420"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>10240</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fe35529d-ef3f-4171-96fb-b89c267c2265"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>10752</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6cc894f0-59eb-4261-a36f-3d8c3503d7f4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>11264</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5431c2b6-2fc8-467d-833b-130e516cbb72"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>8704</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-41c7218a-0cc4-499e-8220-67226ef81c74"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>9216</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2c87b5c8-7ec0-46ab-bd3e-a5a27e90d0a4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-04-10T01:36:41Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9f644994-4ffa-428f-9426-f21a43cb53c1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-16T15:04:29Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-50ec3594-e369-4340-84b7-d6d6cbf3d309"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2009-07-16T15:18:07Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-90b0b02d-dddb-4ecd-9796-fa1a0bbd02e5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-08-11T09:14:46Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d750031d-877d-4903-b572-c981ee8d9236"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-08-11T09:15:53Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c848740b-66c8-4d00-acc1-56782827b10b"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-20T15:30:36Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a067de4a-e6a5-4b5b-bf6d-bc198f959d80"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-02T15:12:30Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-84967cfa-69f0-4254-badc-d46cb79d26c7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-02T15:41:38Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-45db05bb-bd41-4b2d-bce2-6c2b94b122ef"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-03T13:41:14Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6bce7a55-8e95-42a7-8326-05a5feb51596"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-08T02:36:50Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-594eb497-0179-4537-a7d4-80aa81a2a325"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-03-25T09:36:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a1861df1-3590-4223-bf8e-afe46ae48443"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-04-28T01:22:03Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2af57e8f-65c6-4232-b493-1fb574b9002d"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-07T11:34:16Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-030de379-8e8b-468d-a583-97eeea361cb0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-10T19:45:58Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c68e647f-a929-48e6-be04-739add3afd99"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-13T09:23:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f2bd1ae3-9d40-4aed-af3d-78777cef13ce"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-10-13T09:37:53Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-308efb8e-caa5-4aed-8c45-fc2014e85abd"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-11-10T08:46:09Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1cd3ca84-a53e-46d3-84f3-157f7ceb9b51"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-12-01T13:50:47Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8c77ad1-e5a2-4638-9f49-12cf1fe315a5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-02-13T15:54:19Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c0f84e9c-385a-4940-8ba3-b6ce2dca710c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-02-16T08:22:06Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-81289d03-211b-4471-b4d3-bad06a7aa5eb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-05-30T14:51:25Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f17f8d35-de32-4874-8452-5050ea2a533c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2012-07-26T14:55:59Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-041f007d-9af7-48ff-8baf-6c2464a1f9e8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>avguard.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3d9f38cd-0bc8-4e9c-b5a8-6cd2a06f1458"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>dlserver.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c1194515-f997-451d-8930-36beb247ffcb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>WinInstall.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-24e54cce-c4b1-429a-94bb-d72684763026"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>InfMon.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-763a8925-3c15-46da-9d0a-8b0b12004680"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>vsserv.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d6e4fa65-cc60-4eeb-aabf-0b2d2aa829e2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>dlservers.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0c42625e-283f-47a2-9851-bd45f01c5e5b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svehost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4f16b9c2-b44e-4d78-aee6-8547d0f32d62"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>wininstaller.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7f97f56f-d574-4fb3-a134-275f2381cb31"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>msiexec.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8ea5b89-fc57-41ab-aff9-4a535132cec9"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5a9ed4ef-9a0c-4f4c-9cf9-65d33cd59edb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dbdd2a9c86e71ba0c9953ff4f89cc25b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-54c44e19-a195-43e7-ad01-e350d387e888"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>67f62f5accfeacf5e828c3b3905248fe</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e034777e-1d07-474e-a825-02459fecbbe0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-44d5b6fc-75f4-49b0-bf74-c964521cd5c0"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Hive>{1A7882DB-B89E-4406-AF8A-42C3DBD11B2C}</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ffae0e73-4f45-4062-ba4b-7628f901fa0e"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">mshtml Class</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-84a9a67d-e641-4edf-854f-3ed7bd151946"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">Comhtml.mshtml.1</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-76a83e3b-2c81-4c68-ba94-bf557a3ba43e"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">Apartment</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-82ebe9c0-4701-40e8-bc59-31f1af3c7042"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">ntoc.dll</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0383f494-e75e-4b22-8d94-46467712964b"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">{B02DAAF7-C679-4D00-9805-BE94D23B3B99}</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a30394c7-d1bd-4c15-b949-110b6a005d6c"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Hive>{B02DAAF7-C679-4D00-9805-BE94D23B3B99}</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c1519e1-904c-4367-b316-6776eb3cfb0d"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">comhtml 1.0 Type Library</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3360f8d9-3215-41ea-8958-d1f0cab55f73"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">ntoc.dll</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a19db190-8116-4885-a2e7-9fdc2006aee0"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ntoc.dll</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-69fd5c62-9662-4217-8840-0f0068192e18"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Exports> <WinExecutableFileObj:Exported_Functions> <WinExecutableFileObj:Exported_Function> <WinExecutableFileObj:Function_Name condition="Contains">DllRegisterServer</WinExecutableFileObj:Function_Name> </WinExecutableFileObj:Exported_Function> </WinExecutableFileObj:Exported_Functions> </WinExecutableFileObj:Exports> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-daf83b4a-467e-4e4b-8d4d-d1945e90c3e7"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c4f006d9-277d-44eb-b4c6-8b8158682695"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>32768</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-989b3f80-92c4-441b-9e5f-99888b12cac5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-05-06T13:11:39Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1ca51c49-fa3a-42c6-80f4-b786c0d9e82c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-953dd2ea-5a2c-40c3-b70e-ccd4b2126efc"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6fcb85fd-f1cf-4b75-b1ec-cee9cff7a792"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>f7f85d7f628ce62d1d8f7b39d8940472</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f185110e-4fbd-4782-98ff-5db97ca802ef"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>da52e6701c9eba92459c6be28efdba74</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8c90a6f4-c13c-4cf6-a3ae-15c04a960b0d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9dab4da07ed669b44f409eb60f3b0e50</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-28cae9e0-e6ae-440d-a833-fce9fed91746"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0149b7bd7218aab4e257d28469fddb0d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-52267a68-5ad0-4132-b3c6-c86a69842df5"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9d75897d9c0a5da7e95082ea5ae1f648</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1706748c-acbc-4db3-b243-83f705616a57"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>496f04719a365f9718919002eff5748b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-453c4b44-a1fa-44d5-8655-0bbbea9d8532"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c2a79bb15a31fd6584d9bf0891673d14</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1eecde36-9399-4bd6-ba13-b414af30bc08"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4e1a92036a577a87a6fa36168d192c4b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6fc7ea0c-b56e-4fca-8297-3af38ddf23af"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6e9bedcf80f21171adb951a0d85d2adb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-25a88fc6-025c-47ce-b1c3-7eb475ed787f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>efc2025431e7ec8f8784fe81389c77cf</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5d38842f-2585-4c0f-a25d-551dc5cc77d8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>37ddd3d72ead03c7518f5d47650c8572</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-84b40839-003e-4a6e-ad8e-1df258ea07b2"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>dff4d874b2bfc64a4d1805959c379074</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7ddafb71-345c-4df5-85c3-9cb5087feba4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>70c10f8b4dcd01b07be6cfb4df0d3348</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2c9f0b9d-0042-4c9d-b093-c8c239870fe3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>cc3a9a7b026bfe0e55ff219fd6aa7d94</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-58649176-0ca4-4d1a-9e6a-1236dbc77ac7"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>aa4f1ecc4d25b33395196b5d51a06790</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-76a80ad2-29dd-47cb-b279-1f24cf7027ac"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>1415eb8519d13328091cc5c76a624e3d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bcfb0f4d-a535-4e09-bc70-3c4cec5c4357"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3d573866620eae070a220be89e113f69</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ea217e94-0489-43c2-9460-792cf8fa7969"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2762fb36161086f7ef3f33232aa790dc</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3c1a10a3-9c3d-4226-bb7e-28a796fac92a"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>57cbf78c226265cc1e61ad86779bf906</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f14f51a2-bdde-4474-9c5d-1e91c4e9c739"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>20e2c8c7a98ddd4c16f6e878194c1e78</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-85608e62-7b42-47cb-be04-ee818a567f21"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>6040dd5b603483f738be6a02a63538f2</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-c71a44e2-805b-4e1e-b140-6ccfb1ba2752"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>abe6ab89f957f6edf8f41b5ad198e5e6</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d08526ca-4936-477f-9670-c8bb4834c802"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3e3e6fe1a8c6ffc00a9c644997a4f7a1</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6eb7f59e-c5aa-4fb0-b713-3ad934970c15"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>4c9c9dbf388a8d81d8cfb4d3fc05f8e4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4472370d-a4e0-4d5b-a9b4-7a2226c71656"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7a670d13d4d014169c4080328b8feb86</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-22d4a359-6d97-4c87-9e86-79d7f2822d6b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>36d5c8fc4b14559f73b6136d85b94198</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-9b54acc9-b2d4-42d8-bca6-229f2807d3ac"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e5237615fde0977c0ea3626fba609ab8</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-efc5573e-b345-4491-a476-e5e3df158047"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2b659d71ae168e774faaf38db30f4a84</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad80f7dd-1654-4c54-acfd-cf44fdba5874"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2272791cadf422ce02a117a3a857f84e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-854fc56a-070c-4eef-b120-8b13b0430a46"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a354e3c566645100e757f3e43c9b007d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6cf40586-66b7-436c-9b78-1de376bda409"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>22aa55134d621672e93c6de928c8b122</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7006d4db-b299-4253-89a0-ebd50503f989"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9d5aabcda9106132d1e1b6cf6cae28aa</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-399b4560-097d-4c5f-9dd4-eb56ccfc4a39"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>7f26403f8e59a5f2728af2d3e0efaabb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-56f85a10-c969-4d69-8eb1-8f6265acf0a4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>70e2827ab4af1a38dc09a02fa95b82fe</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-22d0a76b-ca28-4108-ae4c-ba4c99441cde"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a8f259bb36e00d124963cfa9b86f502e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3babb67f-61cf-46f8-95be-9e9711bf049c"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>c9f77569aa98f71cc42644d66d9f371c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7586834c-89b6-4b4d-bea8-f424bccd1536"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>328c3ebb2fd2e170483e8d51ccc6c505</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b76299cf-3094-4635-9f63-0f4e438ac6ca"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>3de60420845a582b0e44081b1138a7e4</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4d639056-7dcb-4e3a-b57e-b12f530b3e35"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>2a4604fcae876dee445de5ad74fd7835</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3678d8ef-ace4-456a-93dd-41bc7b51dc0e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>86a906db5686bbf487689937d15bf71a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-860f4933-1b3b-4017-a594-df1717a16173"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>13835f0d5aafbeda50560afc92c8b7b7</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6fff1113-d530-4445-a1e4-30108cac885b"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>63db2f4fd717723f0e6f94e0a6a62c7b</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4ceb5bc2-bcb9-4d58-af98-c62107b8e52d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec82a53f44511ac09e916bde02cddef0</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8eda7dde-6882-4040-a236-403f857478fa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>0588ffa0a244a2c4431c5c4faac60b1f</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1fbed0af-8e0d-43c3-8046-634a9b0b7973"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>a8b183fe32ad8d426e20227f3c8b7592</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-505d95fe-dab7-4184-b177-ed684e30f735"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>d751c7f7d2eab52c43ab31312e229307</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-703567b4-8492-4881-9ac0-406d820a1c02"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>39e28f48c138dc156d1436fd02222e45</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b3cfa046-8468-4160-9ec6-fd50a6696fe9"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ca68ccc887cfe5d2194f6a4d3101ae66</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8368e0af-177d-4c10-acf8-1b112707b0ea"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>9ad292de00b2175a80b5909fa173cdcd</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e8111648-69af-4631-850d-48a9ed04e830"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b743f6af7e307221ba425d6023ebe42c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-dbd562e7-1687-4d02-a4aa-18bbd8131073"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3ffe2f58-0162-42ca-bbb2-84c96f79a429"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-57b9e593-0bfb-4a89-b414-75aaa578d698"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-56140567-5ddf-429e-9ad3-3c41355b9c4a"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a74e6c8-7375-48c0-949f-95572a78be54"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-940b86bf-1668-46f7-830d-4be71196add5"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-37e017df-49b2-47e1-9825-85bdf573b9ef"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7eacea1c-283f-4ce8-9b05-e52a41760159"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d52ca222-ddd8-4818-babd-469136767128"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2f199249-08c0-4d0c-a48d-92c8f764ad46"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\Windows\inetinfo.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ed6711b3-8778-4084-9a2b-931ae5e7babb"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\Windows\fxsst.dll</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-17e77965-cbcb-4c7b-97a9-6c361bc294a6"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Path condition="Contains">\Windows\wscntfy.exe</FileObj:File_Path> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4e0b8b31-0f57-4a23-ae2f-b54a7d04c022"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name condition="Contains">LETUSHAVEAGOODTIME</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-192cc28d-7608-44c0-ab78-ed5b5d718c0f"> <cybox:Object> <cybox:Properties xsi:type="WinProcessObj:WindowsProcessObjectType"> <WinProcessObj:Handle_List> <WinHandleObj:Handle> <WinHandleObj:Name condition="Contains">HAHAHAHAHAHAH</WinHandleObj:Name> </WinHandleObj:Handle> </WinProcessObj:Handle_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d600f291-d6b9-417b-be7f-bb65f374094d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>iexplore.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fc91876c-c18d-4711-bcef-c828f18c9356"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>svchost.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5db34463-cd8e-4783-acb3-92783eaadd23"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>mswab.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-30508b35-dadd-46fe-9701-f6dbdba2bef8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>1.jpeg</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1428e3b4-01d2-4756-99db-2b33f57e5c50"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>buildout.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b96748f1-ef0f-43cf-9811-018493c1f1f8"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>reader_sl.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5eec859d-42d7-4a84-bff1-1d09c8e9835e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>WINWORD.EXE</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6470699e-2fc6-46bb-80a1-dc579302ec36"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>press_releases_doc.doc.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7ecb7460-915c-4c47-b33b-9e5a22a2784c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b69fe666-d750-4162-ad59-05a575ddb028"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a016ff4b-41f8-4fb9-85fe-2f322de4f84f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>1220608</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e4bc1c3d-5031-4dea-a1d8-f6a8180852ab"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>14336</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a68303d-0c6e-4604-a48d-b74478e26051"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>14848</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1ec89d4c-13f3-4c8d-9c8c-487b9f4434f3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>15360</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-ea54de4e-3935-4f99-8a4f-d46cead8a42e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>15872</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3c7fe9c0-b08c-4921-95d3-8fbdb72e0937"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>16896</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-881afe9e-dbe5-4af0-9018-7f6c9ec69ea3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>17408</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1b7920f1-5aef-4124-ac18-769e855f03aa"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>17409</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-938c08b4-480f-4868-bdc9-1073ab0039e3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>2886656</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-070ba35f-e9ff-4884-b7a7-b34e53604cc4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>40448</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-09b8919f-7d83-4df5-bec0-c55ef595e5e4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-08-27T01:55:04Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f050d4d3-c778-4ecc-aebd-81df5953a4c2"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-09-28T08:09:41Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d88cae4b-1734-4abb-9aa8-5916bfd5ac38"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-05-30T01:30:24Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-d513f4f2-3f6b-4978-965a-df25d7161a3c"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-05-30T03:27:33Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-962c1701-32e1-47f2-a67c-6868c743bfac"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-05-30T08:29:29Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-4eab86a7-135f-473a-ac63-1a38e2059556"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-07-01T08:23:45Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-51f6df5f-f37b-4e9a-84e8-6de48e817ba0"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-07-29T07:10:31Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-37d15923-831f-4a70-b8d1-7966f07d31bd"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-09T07:30:17Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a082d17d-99f9-41d3-95af-7cae719f1cfa"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-09T08:15:29Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-269a67b1-be1e-4564-b556-986b99da15a1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-09T08:18:19Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-98b74df6-b79f-4516-a532-0eb9b8b26beb"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-11T13:15:49Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-90b7970a-9f9c-4be2-8335-94a1a44fa515"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-15T09:26:15Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-1d5a0302-e8b1-405a-90a0-bebaa78b7fbf"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-08-19T03:07:37Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a42f67d5-b2f5-4225-8a67-38bfba70d472"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-09-16T08:46:55Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-322dcf62-fb83-434a-969c-6a1e83b1e709"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2011-12-12T13:34:30Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-2eb66a50-21ee-4861-84dd-1cdc2fc388d0"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Service_Name>.Net CLR</WinServiceObj:Service_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-fdaec485-9c85-49c2-b17e-99cb0b0db111"> <cybox:Object> <cybox:Properties xsi:type="WinServiceObj:WindowsServiceObjectType"> <WinServiceObj:Description_List> <WinServiceObj:Description>Microsoft .NET and Windows XP COM+ Integration with SOAP</WinServiceObj:Description> </WinServiceObj:Description_List> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-bbec8b8a-26ef-4d80-9eaf-bb1b75526c59"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Key condition="Contains">Run\</WinRegistryKeyObj:Key> <WinRegistryKeyObj:Hive>CurrentVersion</WinRegistryKeyObj:Hive> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ec4f425-663e-48e5-92c8-e0b2a30c3c2b"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">Users\</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a176e91c-5b42-47d0-ac83-c799a07dad58"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Data condition="Contains">Documents and Settings\</WinRegistryKeyObj:Data> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a96c8466-c539-480a-9261-e5a6a53e54fa"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Name>SysTray</WinRegistryKeyObj:Name> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3ff1c3a8-ec15-4c63-bad7-9a8b710c999f"> <cybox:Object> <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType"> <WinRegistryKeyObj:Values> <WinRegistryKeyObj:Value> <WinRegistryKeyObj:Name>systemupdate</WinRegistryKeyObj:Name> </WinRegistryKeyObj:Value> </WinRegistryKeyObj:Values> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-b293ed0a-4d58-448e-8909-443bf9851bd4"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>77afced93e20b1bb906796197fa1dd1d</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a376a4f-ba1a-4087-a67a-932e0b067a40"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>46acae84a04e41730d0502d9080bbb4a</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-5ee901c4-9dc4-48af-ad16-11bbe10bac4d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>e7f728e3bce0e59c3ba973545a3b3a92</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3d62bb44-8b90-4f90-8e32-899b4723053e"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>1.rar</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-0b520328-7c5f-4e5d-b126-7e96b673e522"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>ret.log</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e6c21b58-a913-48b4-91cf-a0c04288c982"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>qy.htm</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-8488c736-347a-4368-b17b-941b580ae3b3"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>shsat.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-179cdf6b-64fd-4788-93ee-b0d6daf8d303"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name>imxgy.exe</FileObj:File_Name> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-71855453-31f3-493c-91a6-32fc88038fab"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <!-- IOC to CybOX Converter does not support this portion of OpenIOC at this time --> <!--WinExecutableFileObj:PE_Attributes/--> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-f703be9f-71fc-4689-85ee-7b201a4a584d"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>28672</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-3d46f96b-eb2b-46d4-a839-c27f88cda084"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>29184</FileObj:Size_In_Bytes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-a549eb6c-10b1-4e86-acaf-3b8fca66e5da"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-08-16T00:20:13Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-e07c1595-5f31-4f6f-9783-57382acf1aa4"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-09-06T02:40:00Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-11940b1b-7c1b-494e-a779-dd7e3b4389d1"> <cybox:Object> <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType"> <WinExecutableFileObj:Headers> <WinExecutableFileObj:File_Header> <WinExecutableFileObj:Time_Date_Stamp>2010-11-15T00:54:34Z</WinExecutableFileObj:Time_Date_Stamp> </WinExecutableFileObj:File_Header> </WinExecutableFileObj:Headers> </cybox:Properties> </cybox:Object> </cybox:Observable> </stix:Observables> <stix:Indicators> <!-- If separate TTP entries were created for each of the malware entries in the Malware Arsenal appendix, the appropriate indicators defined here could directly reference the appropriate malware TTP entry for each rather than the single high-level APT1 TTP entry. As an example, we referenced the WEBC2 Indicators to the WEBC2 TTP in the main STIX document. --> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-8d88dd33-1e16-4814-814e-662fb0ac842f"> <indicator:Title>GDOCUPLOAD (Family)</indicator:Title> <indicator:Type vocab_name="Mandiant">Utility</indicator:Type> <indicator:Description> This family of malware is a utility designed to upload files to Google Docs. Nearly all communications are with docs.google.com are SSL encrypted. The malware does not use Google's published API to interact with their services. The malware does not currently work with Google Docs. It does not detect HTTP 302 redirections and will get caught in an infinite loop attempting to parse results from Google that are not present. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-b7013416-7e77-4078-a0bd-a33b49c7cb2f"/> <cybox:Observable idref="mandiant:observable-749eea4e-2812-4b4d-bba9-4292bedc05a2"/> <cybox:Observable idref="mandiant:observable-2d244ba9-73e0-4270-96aa-64f1c8935d27"/> <cybox:Observable idref="mandiant:observable-41207254-a9d7-4b95-9080-a4d8905d2fd5"/> <cybox:Observable id="mandiant:observable-427596f8-92f4-4231-8aaf-f3b418000b85"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-8c374153-02fb-40d4-b2af-cbf5c4ec4b26"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-df3e85c7-82a9-4032-b860-03c5e891d3b0"/> <cybox:Observable idref="mandiant:observable-da666dfb-6d51-4374-b0b0-3a896d06f3dc"/> <cybox:Observable idref="mandiant:observable-94ab92ad-b5e9-4ebe-bd9f-125b97511e7a"/> <cybox:Observable idref="mandiant:observable-7ff03fbe-0077-44dc-b1a3-fa9771b3302a"/> <cybox:Observable idref="mandiant:observable-266e75ec-5639-4d5d-b094-c59173a61b13"/> <cybox:Observable idref="mandiant:observable-30d852eb-43c9-4ab4-b602-ae7fd7636216"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-f2f862e9-11d2-4f56-b214-38e5310c8c80"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-995a7833-1780-4b17-b5fa-944f6d8f51b1"/> <cybox:Observable idref="mandiant:observable-af887012-42d2-4a98-9c91-91fa99f5986a"/> <cybox:Observable idref="mandiant:observable-fccec804-ae93-4ea1-9cc6-8795523b7ec6"/> <cybox:Observable idref="mandiant:observable-cbf27d57-cf18-40b5-a706-8501083e46ae"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-0d53e783-c9e7-4dbd-b661-dfac62ac8f75"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-3cfaf45b-31a1-4f1e-a690-09f132e5c612"/> <cybox:Observable idref="mandiant:observable-c39b79ba-460e-4619-bf49-73a4a81e256d"/> <cybox:Observable idref="mandiant:observable-300bc2bd-1cdc-4c94-90e0-54bba1f9bbae"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="0c7c902c-67f8-479c-9f44-4d985106365a" last-modified="2013-02-10T13:00:00"> <short_description>GDOCUPLOAD (FAMILY)</short_description> <description>This family of malware is a utility designed to upload files to Google Docs. Nearly all communications are with docs.google.com are SSL encrypted. The malware does not use Google's published API to interact with their services. The malware does not currently work with Google Docs. It does not detect HTTP 302 redirections and will get caught in an infinite loop attempting to parse results from Google that are not present.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">GDOCUPLOAD</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Utility</link> </links> <definition> <Indicator operator="OR" id="8d88dd33-1e16-4814-814e-662fb0ac842f"> <IndicatorItem id="b7013416-7e77-4078-a0bd-a33b49c7cb2f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b305b543da332a2fcf6e1ce55ed2ea79</Content> </IndicatorItem> <IndicatorItem id="749eea4e-2812-4b4d-bba9-4292bedc05a2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">23e371b816bab10cd9cfc4a46154022c</Content> </IndicatorItem> <IndicatorItem id="2d244ba9-73e0-4270-96aa-64f1c8935d27" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5e17055c51724b0b89ff036d02f5208a</Content> </IndicatorItem> <IndicatorItem id="41207254-a9d7-4b95-9080-a4d8905d2fd5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e62dadb2856c099a066713883bc12788</Content> </IndicatorItem> <Indicator operator="AND" id="427596f8-92f4-4231-8aaf-f3b418000b85"> <Indicator operator="OR" id="8c374153-02fb-40d4-b2af-cbf5c4ec4b26"> <IndicatorItem id="df3e85c7-82a9-4032-b860-03c5e891d3b0" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">gdocs.exe</Content> </IndicatorItem> <IndicatorItem id="da666dfb-6d51-4374-b0b0-3a896d06f3dc" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">hotmail.exe</Content> </IndicatorItem> <IndicatorItem id="94ab92ad-b5e9-4ebe-bd9f-125b97511e7a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">hotmail.exe</Content> </IndicatorItem> <IndicatorItem id="7ff03fbe-0077-44dc-b1a3-fa9771b3302a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">sg.exe</Content> </IndicatorItem> <IndicatorItem id="266e75ec-5639-4d5d-b094-c59173a61b13" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 67% samples.</Comment> </IndicatorItem> <IndicatorItem id="30d852eb-43c9-4ab4-b602-ae7fd7636216" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 33% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="f2f862e9-11d2-4f56-b214-38e5310c8c80"> <IndicatorItem id="995a7833-1780-4b17-b5fa-944f6d8f51b1" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">104448</Content> </IndicatorItem> <IndicatorItem id="af887012-42d2-4a98-9c91-91fa99f5986a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">104449</Content> </IndicatorItem> <IndicatorItem id="fccec804-ae93-4ea1-9cc6-8795523b7ec6" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">98304</Content> </IndicatorItem> <IndicatorItem id="cbf27d57-cf18-40b5-a706-8501083e46ae" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">113664</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="0d53e783-c9e7-4dbd-b661-dfac62ac8f75"> <IndicatorItem id="3cfaf45b-31a1-4f1e-a690-09f132e5c612" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-18T02:41:49Z</Content> </IndicatorItem> <IndicatorItem id="c39b79ba-460e-4619-bf49-73a4a81e256d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-07-29T00:57:16Z</Content> </IndicatorItem> <IndicatorItem id="300bc2bd-1cdc-4c94-90e0-54bba1f9bbae" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-31T03:16:31Z</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-d577b671-abca-4318-ad94-27c793544168"> <indicator:Title>GREENCAT (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> Members of this family are full featured backdoors that communicates with a Web-based Command & Control (C2) server over SSL. Features include interactive shell, gathering system info, uploading and downloading files, and creating and killing processes, Malware in this family usually communicates with a hard-coded domain using SSL on port 443. Some members of this family rely on launchers to establish persistence mechanism for them. Others contains functionality that allows it to install itself, replacing an existing Windows service, and uninstall itself. Several variants use %SystemRoot%\Tasks or %WinDir%\Tasks as working directories, additional malware artifacts may be found there. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-e1ec420f-4c61-480d-99ef-dca3254fb0a2"/> <cybox:Observable idref="mandiant:observable-20ac1c71-1cd4-4e0b-8001-80fc3e3fac96"/> <cybox:Observable idref="mandiant:observable-1e9eb511-73b2-485f-9b1b-991bc4313913"/> <cybox:Observable idref="mandiant:observable-772dc61f-ba08-498e-b2de-a2b98f5b08c5"/> <cybox:Observable idref="mandiant:observable-c8991eaa-9d25-4658-8d95-dd02938d5b90"/> <cybox:Observable idref="mandiant:observable-4508d1fa-2def-4e7b-aef0-2335da307d42"/> <cybox:Observable idref="mandiant:observable-d781ac40-1769-4f52-b3c5-bf744801c2ff"/> <cybox:Observable idref="mandiant:observable-3349f01e-f085-410f-a055-dbcf0d4d62ec"/> <cybox:Observable idref="mandiant:observable-a51dbcf4-a440-4957-8dfb-ab407283f7bf"/> <cybox:Observable idref="mandiant:observable-e7dc9205-07d0-4007-980b-5aadb24c9c9c"/> <cybox:Observable idref="mandiant:observable-be3334f5-8e3f-41d2-b240-d454b901915b"/> <cybox:Observable idref="mandiant:observable-f5c39a66-9c50-4f6e-824f-087289bce12e"/> <cybox:Observable idref="mandiant:observable-c7102c3d-c443-41f6-8613-32a8d0971c84"/> <cybox:Observable idref="mandiant:observable-26a44cdc-4243-4e9c-ace8-5377aec75419"/> <cybox:Observable idref="mandiant:observable-decf5fd1-bb0a-4520-aa86-775963a75eb3"/> <cybox:Observable idref="mandiant:observable-a3199552-d951-4538-8438-a0b1dfac9924"/> <cybox:Observable idref="mandiant:observable-33314588-1d58-4e2e-8125-d19bbdad8a23"/> <cybox:Observable idref="mandiant:observable-2fd9d81c-477d-488f-b431-80547d6d9837"/> <cybox:Observable idref="mandiant:observable-473e0cbd-617c-49a8-9703-f25760a24d4b"/> <cybox:Observable idref="mandiant:observable-613cdf6d-f9ad-49d6-a945-657873891371"/> <cybox:Observable idref="mandiant:observable-1158e81e-fd49-4a75-9f74-fcd2a96dc841"/> <cybox:Observable idref="mandiant:observable-64c5cd50-f681-41ee-a85e-1395938d2f4f"/> <cybox:Observable idref="mandiant:observable-6641cfcb-3e4b-4466-aec8-0bd4422748e3"/> <cybox:Observable idref="mandiant:observable-538aa92b-e73d-497f-8fe5-b5b60897782f"/> <cybox:Observable idref="mandiant:observable-64d2746e-a20b-4fae-af67-06e8221ea112"/> <cybox:Observable idref="mandiant:observable-77f946d9-bd9f-49aa-bd2b-9891b55b6adb"/> <cybox:Observable idref="mandiant:observable-2ec17dff-0a4b-4404-bfb9-5513d655a047"/> <cybox:Observable idref="mandiant:observable-9a7022fc-e399-4a93-91dd-9714edabc42f"/> <cybox:Observable idref="mandiant:observable-dae02941-49da-4a9f-b1a6-217aa976d3b4"/> <cybox:Observable idref="mandiant:observable-5bd1bbcc-1397-4088-808e-7fee1ed4554d"/> <cybox:Observable idref="mandiant:observable-a8a846b7-9862-4fb2-ae26-0092fd74545f"/> <cybox:Observable idref="mandiant:observable-34c94390-75ac-4859-9caf-bf021e9ed0ce"/> <cybox:Observable idref="mandiant:observable-bb05e832-320d-484c-984e-7c9004b71ab1"/> <cybox:Observable idref="mandiant:observable-23166621-b363-4d13-8d2a-36848bbf62ef"/> <cybox:Observable idref="mandiant:observable-18f011f0-f745-4a17-9489-4b313b78430c"/> <cybox:Observable idref="mandiant:observable-32d9d3e3-247a-4814-871c-a2babb11470d"/> <cybox:Observable idref="mandiant:observable-275c7cf8-3fec-4250-8321-44beaf6fd69a"/> <cybox:Observable idref="mandiant:observable-0f2e40fe-a821-4e2d-84a5-4b76a184012e"/> <cybox:Observable idref="mandiant:observable-06c9e45a-f169-42a1-9b13-897af75de113"/> <cybox:Observable idref="mandiant:observable-8d300eb0-cb97-4330-93dc-843a8cc7e2aa"/> <cybox:Observable idref="mandiant:observable-aef94cef-dc4e-4b2a-8225-9d95136bc755"/> <cybox:Observable idref="mandiant:observable-5023dbc8-9694-4991-82f6-45fe4d5540ca"/> <cybox:Observable idref="mandiant:observable-f0444f6b-c0d5-4260-b3a3-c9c68e4af739"/> <cybox:Observable idref="mandiant:observable-d525d2c9-f65c-4758-9f9e-af6b0d579663"/> <cybox:Observable idref="mandiant:observable-2ac47a09-7e4b-4ac4-bb5c-7d52464884d7"/> <cybox:Observable idref="mandiant:observable-cac4805b-02ec-4cb2-b858-3b27d38cb682"/> <cybox:Observable idref="mandiant:observable-28a1d405-9c3f-4d9f-aa23-6de71d4bc41e"/> <cybox:Observable idref="mandiant:observable-6197cea2-6385-465b-9fcd-78bebdc39af2"/> <cybox:Observable idref="mandiant:observable-47d34f53-7514-4df6-b7c4-2e668fe5e25b"/> <cybox:Observable idref="mandiant:observable-8998f977-7229-4133-93fa-199947f79e15"/> <cybox:Observable idref="mandiant:observable-b27d81e7-e6f1-46ad-b4ec-ecca558965b8"/> <cybox:Observable idref="mandiant:observable-70082008-096d-40ca-8c83-e14beffe88f5"/> <cybox:Observable idref="mandiant:observable-50006157-6205-472e-afd6-9efebcd100ad"/> <cybox:Observable idref="mandiant:observable-4477fab7-4163-4af1-ad10-3fc91bd3b4c2"/> <cybox:Observable idref="mandiant:observable-38b1e400-a382-465d-96dc-1dfab9c6b6b1"/> <cybox:Observable idref="mandiant:observable-3a96f94b-5379-4a81-b5f9-fa09afcc08a1"/> <cybox:Observable idref="mandiant:observable-7a940ca1-edde-4409-b21a-ce7fb46b077e"/> <cybox:Observable idref="mandiant:observable-9e80350c-058f-461b-9064-61af37e28f8c"/> <cybox:Observable idref="mandiant:observable-96232b18-df03-4e8b-86ea-204500bb30ca"/> <cybox:Observable idref="mandiant:observable-3baabbac-2dce-450c-9330-321c727d4fce"/> <cybox:Observable idref="mandiant:observable-516da75b-a9ce-40dc-8d9c-f45672885599"/> <cybox:Observable idref="mandiant:observable-afd2f86b-3c67-4203-aa53-06f3e7387abf"/> <cybox:Observable idref="mandiant:observable-c6fcda16-4d86-41f5-86a2-2e4ad40641f5"/> <cybox:Observable idref="mandiant:observable-30cdb260-0f62-4ded-9ba2-19e9c518c9d5"/> <cybox:Observable idref="mandiant:observable-481c3313-50c7-4159-9b24-e3d0078d0cc1"/> <cybox:Observable idref="mandiant:observable-c0effb84-c3e6-47f6-a3da-08f5491c42de"/> <cybox:Observable idref="mandiant:observable-7a0f19f5-055f-4d1a-94a0-61659717d4c4"/> <cybox:Observable idref="mandiant:observable-57ae3129-905d-4e92-b377-b96bd539ae84"/> <cybox:Observable idref="mandiant:observable-2a3b7d04-9696-444c-b1ac-c2661327b87f"/> <cybox:Observable idref="mandiant:observable-8ab89f41-c82d-49d3-a4bd-97c01be38ff4"/> <cybox:Observable idref="mandiant:observable-b269a41a-09b6-4e11-b395-3a84a69ab486"/> <cybox:Observable idref="mandiant:observable-58f6187b-36c7-452f-82c5-dd649f81aab9"/> <cybox:Observable idref="mandiant:observable-bb9dd9d0-794e-47aa-9922-d287db0eda13"/> <cybox:Observable idref="mandiant:observable-9c91f63b-3221-42dc-b68f-a8a9637526c0"/> <cybox:Observable idref="mandiant:observable-8555081f-f434-44c9-8704-682ffb833118"/> <cybox:Observable idref="mandiant:observable-9e9b3fc8-dca1-4b8d-97b8-2f934db54bfc"/> <cybox:Observable idref="mandiant:observable-86127e61-8b13-43b4-be1a-55cdcb39ec21"/> <cybox:Observable idref="mandiant:observable-5b4e926d-04c3-42f5-aecf-b999c6c05848"/> <cybox:Observable idref="mandiant:observable-48c6cd00-0079-4c5b-a110-1365bf086141"/> <cybox:Observable idref="mandiant:observable-ecd8afec-bd5a-4450-9629-5461f89ddd4d"/> <cybox:Observable idref="mandiant:observable-2e081c5e-ade1-418e-b529-abca2aabe25a"/> <cybox:Observable idref="mandiant:observable-e4cc9324-dfe2-47a6-b7bc-20ca16fa2ee6"/> <cybox:Observable idref="mandiant:observable-30c32ef6-bc23-46d8-82a2-726a4ea928d1"/> <cybox:Observable idref="mandiant:observable-f9d1ec1d-866a-4784-8c86-99fffe93185a"/> <cybox:Observable idref="mandiant:observable-d55f6ff6-48ad-4328-b663-dc2c6da7641f"/> <cybox:Observable idref="mandiant:observable-79268e88-068f-4cdd-9ff6-c082e547ec53"/> <cybox:Observable idref="mandiant:observable-9afbad71-cb40-4d0c-b6ae-46cadb3db781"/> <cybox:Observable idref="mandiant:observable-2588b066-a161-44d4-902b-62ef027e37bd"/> <cybox:Observable idref="mandiant:observable-cf4f20e4-6bb5-4a81-ad07-7de57b0d4180"/> <cybox:Observable idref="mandiant:observable-0a1e6213-3002-4ec0-a4e6-d6b429d3b69b"/> <cybox:Observable idref="mandiant:observable-3b9b8c92-5f09-4e1b-afe7-df0294ba9686"/> <cybox:Observable idref="mandiant:observable-dc7e7a14-05fc-41f5-9675-b6c6eb1552d2"/> <cybox:Observable idref="mandiant:observable-f4c09e1d-7087-47c6-90a1-eceae9d82ad2"/> <cybox:Observable idref="mandiant:observable-b213c45c-ffd2-4475-a260-5e4438bb7d07"/> <cybox:Observable idref="mandiant:observable-e17f6723-f44f-42ce-9463-12675262ab9e"/> <cybox:Observable idref="mandiant:observable-c96f2ec0-0741-4309-b7a0-d3c402b9b28f"/> <cybox:Observable idref="mandiant:observable-04fbd074-b06b-4f5b-9437-d6f0b0f3b230"/> <cybox:Observable idref="mandiant:observable-7ed3aec7-4da9-4abd-af8f-614d0053aa9c"/> <cybox:Observable idref="mandiant:observable-0713088c-194b-4cc1-a491-ed154bf82d92"/> <cybox:Observable idref="mandiant:observable-fac0b607-932f-404a-96e0-69b19a1f6399"/> <cybox:Observable idref="mandiant:observable-4d9d2497-c5ae-45d0-bb53-f6bd171de802"/> <cybox:Observable idref="mandiant:observable-6a0fec6b-6e86-4d0e-a7b4-74d5fa99fdd6"/> <cybox:Observable idref="mandiant:observable-eb90e9a9-70ab-44b3-b34f-5140172354c4"/> <cybox:Observable idref="mandiant:observable-6bdbb07f-5f6e-4806-b78c-b3d73f92b911"/> <cybox:Observable id="mandiant:observable-c2f31e25-cb56-4f34-99a0-514ea9014119"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-43a988bd-6eb5-42bc-a501-d20ce872a28e"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-f182b0d0-f9d4-421c-bde7-e0427f0beea3"/> <cybox:Observable idref="mandiant:observable-33fb6f35-7e9e-4453-9f16-dc4371893d1d"/> <cybox:Observable idref="mandiant:observable-446de80d-55b4-43f7-a123-e1db1058bc9c"/> <cybox:Observable idref="mandiant:observable-dc38792a-69ad-44bf-89c0-f45452609235"/> <cybox:Observable idref="mandiant:observable-ad1165f3-4a6e-4d70-bdd3-d09b263abd22"/> <cybox:Observable idref="mandiant:observable-088967e0-f8cc-47a8-b8a1-d597581ba44a"/> <cybox:Observable idref="mandiant:observable-2f58f03c-388f-431e-8205-d1f06d859caa"/> <cybox:Observable idref="mandiant:observable-b04ad4fe-6bbc-4f51-924b-cc770f52f2cc"/> <cybox:Observable idref="mandiant:observable-b3dd9dac-18f4-4cf2-9766-0fc8341604ba"/> <cybox:Observable idref="mandiant:observable-6730ced8-9060-44cb-8b72-7036cf5e3ad8"/> <cybox:Observable idref="mandiant:observable-deee105c-12d9-4cca-8bc6-7b681753f050"/> <cybox:Observable idref="mandiant:observable-d4a19b79-a3a6-4e67-907c-4fea87ae4f2f"/> <cybox:Observable idref="mandiant:observable-c8825928-db80-47ac-9755-e3c05acbb2fc"/> <cybox:Observable idref="mandiant:observable-313b9bab-caf4-48b2-9dcd-b9b018f2ca5c"/> <cybox:Observable idref="mandiant:observable-262cfae5-c684-40bf-b777-5cd4799dcfc9"/> <cybox:Observable idref="mandiant:observable-dfecc66f-e6d8-49ce-b21a-b0fa6f917008"/> <cybox:Observable idref="mandiant:observable-94f66886-459b-430d-90de-7f0a8a81c257"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-d3e1a9a7-b519-46cf-814b-9183e892889f"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-aca8aa51-a223-40ab-8329-f1845a846ca0"/> <cybox:Observable idref="mandiant:observable-886415c2-623d-40bb-b324-b880fb4d1dab"/> <cybox:Observable idref="mandiant:observable-f783f0ee-82e9-4752-b392-efbd3120ad98"/> <cybox:Observable idref="mandiant:observable-db07a6d3-0cbb-4dca-a49a-83b598215c01"/> <cybox:Observable idref="mandiant:observable-94926b82-e2d1-4af9-a4d0-dd56283a2d53"/> <cybox:Observable idref="mandiant:observable-a828169a-b40a-42bc-8be0-7a73461ea47f"/> <cybox:Observable idref="mandiant:observable-a340c536-131a-4b82-9c17-ab9256120b7a"/> <cybox:Observable idref="mandiant:observable-52ff7f5b-b18d-46c7-beec-e4ff4ca1b40b"/> <cybox:Observable idref="mandiant:observable-01ff1530-4688-471a-984d-58e9fcefb82a"/> <cybox:Observable idref="mandiant:observable-cf0dcd37-f55d-4b8e-9310-944ab627f3de"/> <cybox:Observable idref="mandiant:observable-52578931-211e-4c14-89de-3351ba97eae3"/> <cybox:Observable idref="mandiant:observable-08b40441-1179-4a43-a19c-84225cbd4e9b"/> <cybox:Observable idref="mandiant:observable-587379ba-23fa-4399-a47d-1e8a9abac22d"/> <cybox:Observable idref="mandiant:observable-036e3e8a-21ed-43d1-bead-639723eb5250"/> <cybox:Observable idref="mandiant:observable-03d9dd67-e0e0-4282-8e0a-7e97c2b787f3"/> <cybox:Observable idref="mandiant:observable-5fc14e27-5c2d-400d-a041-d3f9a351efb3"/> <cybox:Observable idref="mandiant:observable-e2eba2bf-9d47-4c20-aaa9-f2cc2d2b7dde"/> <cybox:Observable idref="mandiant:observable-b68a4775-fbbd-4460-aaac-99574efa6259"/> <cybox:Observable idref="mandiant:observable-a3d59d13-245e-4138-841b-e6717cca81f0"/> <cybox:Observable idref="mandiant:observable-672bc832-720b-4555-8e57-9b7d04dfaa69"/> <cybox:Observable idref="mandiant:observable-e2a510e4-730b-4a3a-9309-e5bb485ceda4"/> <cybox:Observable idref="mandiant:observable-7e4e361a-2b41-4352-9e59-6dd9b9451bb0"/> <cybox:Observable idref="mandiant:observable-3867dff7-15d9-448f-b4cd-7305b8bbc37f"/> <cybox:Observable idref="mandiant:observable-5aa85a39-c0af-465a-843a-257fd5b6c585"/> <cybox:Observable idref="mandiant:observable-f282192c-e23c-4c24-a18a-92553cad4e17"/> <cybox:Observable idref="mandiant:observable-5fcf6eda-d58c-4ed0-a97e-80a5c9393a78"/> <cybox:Observable idref="mandiant:observable-5bd61fb0-a61d-465d-bbec-22e606c97254"/> <cybox:Observable idref="mandiant:observable-19d1c945-f06d-4858-8c90-c19a5cf6059d"/> <cybox:Observable idref="mandiant:observable-be478e8d-6e76-427b-b19e-4cbc7f9b9459"/> <cybox:Observable idref="mandiant:observable-63359ec3-c1c1-4217-a698-1500bbac1937"/> <cybox:Observable idref="mandiant:observable-e486cb73-c290-4099-aefd-52650bd425b6"/> <cybox:Observable idref="mandiant:observable-528d6d2b-6bfe-4cbe-a1d7-7fa4d2304fc8"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-df558a55-379d-4ded-86d5-3a8d74adb0d1"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-5c088198-0b7a-4eab-bd26-3591ab2d9ff0"/> <cybox:Observable idref="mandiant:observable-5f85346b-8124-4f38-8af7-f7ecb05db34e"/> <cybox:Observable idref="mandiant:observable-f2e7493a-a858-4d38-bb8f-cb51725d7197"/> <cybox:Observable idref="mandiant:observable-ae032710-5891-4588-b255-ec1bcf04d227"/> <cybox:Observable idref="mandiant:observable-90181041-7e54-4d69-8305-3b1db1feaf13"/> <cybox:Observable idref="mandiant:observable-5147aced-2af6-4b61-9db9-9842cb4692a7"/> <cybox:Observable idref="mandiant:observable-00676dcf-c5cb-4918-9b9d-6ee12587bf6f"/> <cybox:Observable idref="mandiant:observable-6e0f4f57-9b9f-4adf-b34e-2cf20db7955a"/> <cybox:Observable idref="mandiant:observable-c847c5ba-6bd5-4692-8651-077f72771891"/> <cybox:Observable idref="mandiant:observable-ca84737a-e426-43d7-a145-7a8778a57353"/> <cybox:Observable idref="mandiant:observable-817ecb8f-d922-41d1-8da1-c01d4a4f272c"/> <cybox:Observable idref="mandiant:observable-78215b3b-52b0-4720-886d-a416312c4236"/> <cybox:Observable idref="mandiant:observable-10b1ba03-b276-4295-8c03-b17be46d3485"/> <cybox:Observable idref="mandiant:observable-e58150ca-8af3-4b2b-9659-7351a42cb26c"/> <cybox:Observable idref="mandiant:observable-19a33044-b55b-4b13-ba16-82faddbfad8b"/> <cybox:Observable idref="mandiant:observable-0f112a97-c7cd-447f-bf38-2f3b3a5a14e6"/> <cybox:Observable idref="mandiant:observable-86677460-02a8-4ab5-b707-11bf120664af"/> <cybox:Observable idref="mandiant:observable-104e8295-9b63-4595-90ea-d0cd9a18d93c"/> <cybox:Observable idref="mandiant:observable-a115f280-dc6c-4aab-8fc4-f640ebf7a599"/> <cybox:Observable idref="mandiant:observable-62ffa38b-9aab-4b6c-890e-5ac830ebd648"/> <cybox:Observable idref="mandiant:observable-111eb85c-83ea-4427-a8c9-ea9ad705bfa9"/> <cybox:Observable idref="mandiant:observable-ddfc26c5-69c1-4ad4-9290-28da46bd2a7b"/> <cybox:Observable idref="mandiant:observable-45f9c1d9-1a20-4289-b3e4-72035cc5f54d"/> <cybox:Observable idref="mandiant:observable-526c052f-dd62-4a18-a752-0ec9465a452c"/> <cybox:Observable idref="mandiant:observable-81542abd-8975-47bd-ab2a-657b2fb140fa"/> <cybox:Observable idref="mandiant:observable-4b915b30-cf6d-46bc-b5b2-5351595ad4af"/> <cybox:Observable idref="mandiant:observable-c0da7416-a51a-44f3-a64c-abcbdf00b8b4"/> <cybox:Observable idref="mandiant:observable-38828ede-349a-40d9-961f-bed923058774"/> <cybox:Observable idref="mandiant:observable-dedc26f8-efce-45e0-80c5-b1ed8a00cd89"/> <cybox:Observable idref="mandiant:observable-11534ab5-3378-4741-b68b-478e0a28fc15"/> <cybox:Observable idref="mandiant:observable-22b5f861-72fb-4fa5-a0b1-1693fc0f191d"/> <cybox:Observable idref="mandiant:observable-f39f176a-4b56-4be2-a179-8c89961c9683"/> <cybox:Observable idref="mandiant:observable-5e398c96-f8d9-4d5f-9753-f416d5e8ae49"/> <cybox:Observable idref="mandiant:observable-20e50cd6-96c3-41d8-9adc-2292fa4bdc7b"/> <cybox:Observable idref="mandiant:observable-80667694-eb92-41a9-9165-6ed899daf12f"/> <cybox:Observable idref="mandiant:observable-758e4343-da6a-4027-aeb3-e6c8dd5c4cff"/> <cybox:Observable idref="mandiant:observable-398ce8b3-2b65-443c-9063-6552f05cfb2f"/> <cybox:Observable idref="mandiant:observable-121b193a-987d-44ee-81f1-05c6cf4ea96f"/> <cybox:Observable idref="mandiant:observable-5a0f7b94-948e-4299-be06-823550dd1b33"/> <cybox:Observable idref="mandiant:observable-bc8911a3-2177-4c1a-850a-478b34ac2fe4"/> <cybox:Observable idref="mandiant:observable-935eb617-dec2-4ba9-9aa5-cf2a42c30722"/> <cybox:Observable idref="mandiant:observable-8b9e7dbf-c817-4807-bff6-bdf646120e0c"/> <cybox:Observable idref="mandiant:observable-f3678b88-9342-45c7-b7fa-b44979617005"/> <cybox:Observable idref="mandiant:observable-55dec592-caaf-426b-9fcf-219e50b3a013"/> <cybox:Observable idref="mandiant:observable-f40fc85a-9081-409c-bb85-2c60cd1b27e3"/> <cybox:Observable idref="mandiant:observable-4166b560-dd02-4d08-9074-b28749ced2f5"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-9f152ffb-afc3-404e-a038-350585bbf92b"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-7a01cc6b-b5ab-4790-a5d4-87b2fdf5428c"/> <cybox:Observable id="mandiant:observable-c0710194-482e-4a16-9f73-a19cf0313212"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2d8255d2-641a-4761-a6a5-771bd74344eb"/> <cybox:Observable idref="mandiant:observable-25da2178-8ba7-43f0-bfbf-ec6184930dd9"/> <cybox:Observable idref="mandiant:observable-19cb7aea-26cb-41b7-afd7-356606ca4434"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-2bf622df-ca79-4f3e-9bb5-f38fc70bc2a4"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-e9e4fa0f-9186-4f02-b8d3-412690f80aba"/> <cybox:Observable idref="mandiant:observable-12c7431c-d0f0-4b3c-ae1d-db0622b1c4ec"/> <cybox:Observable idref="mandiant:observable-96cb3701-ae2b-4fba-b108-28f79b1760a2"/> <cybox:Observable idref="mandiant:observable-3a86f589-7791-4ece-9a53-fe3872c814f4"/> <cybox:Observable idref="mandiant:observable-e8b9edd9-a3eb-462f-b8ec-22c0d7625359"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="12a40bf7-4834-49b0-a419-6abb5fe2b291" last-modified="2013-02-10T13:00:00"> <short_description>GREENCAT (FAMILY)</short_description> <description>Members of this family are full featured backdoors that communicates with a Web-based Command & Control (C2) server over SSL. Features include interactive shell, gathering system info, uploading and downloading files, and creating and killing processes, Malware in this family usually communicates with a hard-coded domain using SSL on port 443. Some members of this family rely on launchers to establish persistence mechanism for them. Others contains functionality that allows it to install itself, replacing an existing Windows service, and uninstall itself. Several variants use %SystemRoot%\Tasks or %WinDir%\Tasks as working directories, additional malware artifacts may be found there.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">GREENCAT</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="d577b671-abca-4318-ad94-27c793544168"> <IndicatorItem id="e1ec420f-4c61-480d-99ef-dca3254fb0a2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">05552a77620933dd80f1e176736f8fe7</Content> <Comment>svchost.exe</Comment> </IndicatorItem> <IndicatorItem id="20ac1c71-1cd4-4e0b-8001-80fc3e3fac96" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">079028d315d039da0ffec2728b2c9ef6</Content> <Comment>spoolsv.exe</Comment> </IndicatorItem> <IndicatorItem id="1e9eb511-73b2-485f-9b1b-991bc4313913" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">07c4032f24ae44614676fbdfe539afe0</Content> <Comment>green.exe</Comment> </IndicatorItem> <IndicatorItem id="772dc61f-ba08-498e-b2de-a2b98f5b08c5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0c5e9f564115bfcbee66377a829de55f</Content> <Comment>gaemm.exe</Comment> </IndicatorItem> <IndicatorItem id="c8991eaa-9d25-4658-8d95-dd02938d5b90" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0f23d5b93c30681655d8a4258b8de129</Content> <Comment>OSE.EXE</Comment> </IndicatorItem> <IndicatorItem id="4508d1fa-2def-4e7b-aef0-2335da307d42" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0ff20d023d6b54661d66fb3ce09afe3c</Content> <Comment>inetinfo.exe</Comment> </IndicatorItem> <IndicatorItem id="d781ac40-1769-4f52-b3c5-bf744801c2ff" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">120c2e085992ff59a21ba401ec29fec9</Content> <Comment>1.dll</Comment> </IndicatorItem> <IndicatorItem id="3349f01e-f085-410f-a055-dbcf0d4d62ec" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">150c4c1f589c4baa794160276a3d4aba</Content> <Comment>ks.dll</Comment> </IndicatorItem> <IndicatorItem id="a51dbcf4-a440-4957-8dfb-ab407283f7bf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ce4605e771a04e375e0d1083f183e8e</Content> <Comment>reader_sl.exe</Comment> </IndicatorItem> <IndicatorItem id="e7dc9205-07d0-4007-980b-5aadb24c9c9c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ede2c69d50e0efbe23f758d902216e0</Content> <Comment>1.dll</Comment> </IndicatorItem> <IndicatorItem id="be3334f5-8e3f-41d2-b240-d454b901915b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1f92ff8711716ca795fbd81c477e45f5</Content> <Comment>spoolsv.exe</Comment> </IndicatorItem> <IndicatorItem id="f5c39a66-9c50-4f6e-824f-087289bce12e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1fb4ce2e56ced51ddf1edff8ed15c21b</Content> <Comment>wmdmpmsn.dl</Comment> </IndicatorItem> <IndicatorItem id="c7102c3d-c443-41f6-8613-32a8d0971c84" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">286f48dda20e2ccc3250a6e09a130db1</Content> <Comment>hk.exe</Comment> </IndicatorItem> <IndicatorItem id="26a44cdc-4243-4e9c-ace8-5377aec75419" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2bdc196cdac4478ae325c94bab433732</Content> <Comment>wuauclt.exe</Comment> </IndicatorItem> <IndicatorItem id="decf5fd1-bb0a-4520-aa86-775963a75eb3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2fae9efa753d3d821e1efdbc1335b966</Content> <Comment>1.exe</Comment> </IndicatorItem> <IndicatorItem id="a3199552-d951-4538-8438-a0b1dfac9924" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">30e78d186b27d2023a2a7319bb679c3f</Content> <Comment>OSE.EXE</Comment> </IndicatorItem> <IndicatorItem id="33314588-1d58-4e2e-8125-d19bbdad8a23" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3364813bcbd111fc5ec1e4265c533506</Content> <Comment>RASAUTOE.DLL</Comment> </IndicatorItem> <IndicatorItem id="2fd9d81c-477d-488f-b431-80547d6d9837" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">341f5e7215826d07ada1ed2b96264c0d</Content> <Comment>1.dll</Comment> </IndicatorItem> <IndicatorItem id="473e0cbd-617c-49a8-9703-f25760a24d4b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">36c0d3f109aede4d76b05431f8a64f9e</Content> <Comment>reader_sl.exe</Comment> </IndicatorItem> <IndicatorItem id="613cdf6d-f9ad-49d6-a945-657873891371" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">370c50aea66cc338b37801e1bd1c244f</Content> <Comment>rasautoe.dll</Comment> </IndicatorItem> <IndicatorItem id="1158e81e-fd49-4a75-9f74-fcd2a96dc841" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">390d1f2a620912104f53c034c8aef14b</Content> <Comment>cnn.exe</Comment> </IndicatorItem> <IndicatorItem id="64c5cd50-f681-41ee-a85e-1395938d2f4f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e69945e5865ccc861f69b24bc1166b6</Content> <Comment>iexplore.exe</Comment> </IndicatorItem> <IndicatorItem id="6641cfcb-3e4b-4466-aec8-0bd4422748e3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e6ed3ee47bce9946e2541332cb34c69</Content> <Comment>iexplore.exe cisvc.exe</Comment> </IndicatorItem> <IndicatorItem id="538aa92b-e73d-497f-8fe5-b5b60897782f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3fb8f4cdcb4d1d48be2e473fd8727239</Content> <Comment>appmgmt.dll</Comment> </IndicatorItem> <IndicatorItem id="64d2746e-a20b-4fae-af67-06e8221ea112" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">41bb847963a8fce70ad21e70dd786107</Content> <Comment>rasautoe.dll</Comment> </IndicatorItem> <IndicatorItem id="77f946d9-bd9f-49aa-bd2b-9891b55b6adb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">435991e0c67f0c0b4504355b6d4493f0</Content> <Comment>4.exe</Comment> </IndicatorItem> <IndicatorItem id="2ec17dff-0a4b-4404-bfb9-5513d655a047" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">46c36c11238100e155f6d418332869ea</Content> <Comment>1.dll</Comment> </IndicatorItem> <IndicatorItem id="9a7022fc-e399-4a93-91dd-9714edabc42f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">471005f73280264c48f769e1c21fbcc1</Content> <Comment>sound.exe</Comment> </IndicatorItem> <IndicatorItem id="dae02941-49da-4a9f-b1a6-217aa976d3b4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4d21cc82e4031e1d6bb15541827b9e67</Content> <Comment>rasauto.dll</Comment> </IndicatorItem> <IndicatorItem id="5bd1bbcc-1397-4088-808e-7fee1ed4554d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">543c283d691939d99667e22bcb7be610</Content> <Comment>smagent.exe</Comment> </IndicatorItem> <IndicatorItem id="a8a846b7-9862-4fb2-ae26-0092fd74545f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">55f60194833efcbc8ac16bd0a1cced1a</Content> <Comment>1.exe</Comment> </IndicatorItem> <IndicatorItem id="34c94390-75ac-4859-9caf-bf021e9ed0ce" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">55fb1409170c91740359d1d96364f17b</Content> <Comment>reader_sl.exe</Comment> </IndicatorItem> <IndicatorItem id="bb05e832-320d-484c-984e-7c9004b71ab1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">57e79f7df13c0cb01910d0c688fcd296</Content> <Comment>unknown</Comment> </IndicatorItem> <IndicatorItem id="23166621-b363-4d13-8d2a-36848bbf62ef" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">58b020fd3bc0d34e8c4eaf0a3f3135af</Content> <Comment>2.dll</Comment> </IndicatorItem> <IndicatorItem id="18f011f0-f745-4a17-9489-4b313b78430c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5aeaa53340a281074fcb539967438e3f</Content> <Comment>cat_6.exe</Comment> </IndicatorItem> <IndicatorItem id="32d9d3e3-247a-4814-871c-a2babb11470d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5cd578614afb50b925008b68b3accdb9</Content> <Comment>cat.exe</Comment> </IndicatorItem> <IndicatorItem id="275c7cf8-3fec-4250-8321-44beaf6fd69a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5cf0959687427850a92d7f69edd41b86</Content> </IndicatorItem> <IndicatorItem id="0f2e40fe-a821-4e2d-84a5-4b76a184012e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5e42780f52763c77d592044e535e4b01</Content> </IndicatorItem> <IndicatorItem id="06c9e45a-f169-42a1-9b13-897af75de113" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5f837bbfd3b458321070e2aebca4ec46</Content> <Comment>ose.exe</Comment> </IndicatorItem> <IndicatorItem id="8d300eb0-cb97-4330-93dc-843a8cc7e2aa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6570163cd34454b3d1476c134d44b9d9</Content> <Comment>sound.exe</Comment> </IndicatorItem> <IndicatorItem id="aef94cef-dc4e-4b2a-8225-9d95136bc755" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">68c67a6e26855ebc2569d67689c69a6e</Content> <Comment>a1.dll</Comment> </IndicatorItem> <IndicatorItem id="5023dbc8-9694-4991-82f6-45fe4d5540ca" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6d2320af561b2315c1241e3efd86067f</Content> <Comment>1.dll</Comment> </IndicatorItem> <IndicatorItem id="f0444f6b-c0d5-4260-b3a3-c9c68e4af739" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6fdec862951e8b128cd7a07b2031eef6</Content> <Comment>hkcmd.exe</Comment> </IndicatorItem> <IndicatorItem id="d525d2c9-f65c-4758-9f9e-af6b0d579663" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7388d67561d0a7989202ad4d37eff24f</Content> </IndicatorItem> <IndicatorItem id="2ac47a09-7e4b-4ac4-bb5c-7d52464884d7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">75ff4bd6b209b6f10472c4cd22e3f9e6</Content> </IndicatorItem> <IndicatorItem id="cac4805b-02ec-4cb2-b858-3b27d38cb682" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7bfeb0eaa1c51513e60bc0abafb1be9f</Content> </IndicatorItem> <IndicatorItem id="28a1d405-9c3f-4d9f-aa23-6de71d4bc41e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7bfeb0eaa1c51513e60bc0abafb1be9f</Content> <Comment>1.exe</Comment> </IndicatorItem> <IndicatorItem id="6197cea2-6385-465b-9fcd-78bebdc39af2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7c82cd17b0fa420f09f97e060621ed7b</Content> <Comment>2.dll</Comment> </IndicatorItem> <IndicatorItem id="47d34f53-7514-4df6-b7c4-2e668fe5e25b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8454918f639a1b0719e00627f211d2ed</Content> <Comment>us.exe</Comment> </IndicatorItem> <IndicatorItem id="8998f977-7229-4133-93fa-199947f79e15" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">86dd715a8d28788e68a575207d66df34</Content> <Comment>1.exe</Comment> </IndicatorItem> <IndicatorItem id="b27d81e7-e6f1-46ad-b4ec-ecca558965b8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">871cc547feb9dbec0285321068e392b8</Content> </IndicatorItem> <IndicatorItem id="70082008-096d-40ca-8c83-e14beffe88f5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8725870a43192cb0176c82012996910a</Content> <Comment>cat3.exe</Comment> </IndicatorItem> <IndicatorItem id="50006157-6205-472e-afd6-9efebcd100ad" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">88b5f635ac9031bcdeda1f751952f966</Content> </IndicatorItem> <IndicatorItem id="4477fab7-4163-4af1-ad10-3fc91bd3b4c2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8913ac72cdb8afd98bd8446896e1595a</Content> <Comment>reg.exe</Comment> </IndicatorItem> <IndicatorItem id="38b1e400-a382-465d-96dc-1dfab9c6b6b1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8a7764ded8467bd0fd0c30adc2acc1d4</Content> </IndicatorItem> <IndicatorItem id="3a96f94b-5379-4a81-b5f9-fa09afcc08a1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8dfbf8a46d3a302fd420305918e9414d</Content> </IndicatorItem> <IndicatorItem id="7a940ca1-edde-4409-b21a-ce7fb46b077e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8e1ec7e556b8c6612b6c34e310c50b66</Content> <Comment>hkcmd.exe</Comment> </IndicatorItem> <IndicatorItem id="9e80350c-058f-461b-9064-61af37e28f8c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8f3d20c983f9d82a8ff17466f45ee757</Content> <Comment>cnn.exe</Comment> </IndicatorItem> <IndicatorItem id="96232b18-df03-4e8b-86ea-204500bb30ca" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8f4863b4dfb52d8362c031d3720a6d97</Content> <Comment>1.dll</Comment> </IndicatorItem> <IndicatorItem id="3baabbac-2dce-450c-9330-321c727d4fce" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">91deceb64c795927c6ea07f695f67334</Content> <Comment>soundmax.exe</Comment> </IndicatorItem> <IndicatorItem id="516da75b-a9ce-40dc-8d9c-f45672885599" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">91f538c08b9dee1bb0c6b6c82f727c5d</Content> </IndicatorItem> <IndicatorItem id="afd2f86b-3c67-4203-aa53-06f3e7387abf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">95d85aa629a786bb67439a064c4349ec</Content> </IndicatorItem> <IndicatorItem id="c6fcda16-4d86-41f5-86a2-2e4ad40641f5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">98d257a13d176940910d6441a854d7a4</Content> <Comment>rasautoe.dll</Comment> </IndicatorItem> <IndicatorItem id="30cdb260-0f62-4ded-9ba2-19e9c518c9d5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9e511dc5ad8a884f4416e68c54f742e1</Content> <Comment>1.exe</Comment> </IndicatorItem> <IndicatorItem id="481c3313-50c7-4159-9b24-e3d0078d0cc1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a241eec892637dec971bd925a40d3efb</Content> </IndicatorItem> <IndicatorItem id="c0effb84-c3e6-47f6-a3da-08f5491c42de" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a565682d8a13a5719977223e0d9c7aa4</Content> <Comment>wmdmpmsn.dll</Comment> </IndicatorItem> <IndicatorItem id="7a0f19f5-055f-4d1a-94a0-61659717d4c4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a96a6c91e71e243f00a64f53e2fd6415</Content> <Comment>ks.exe</Comment> </IndicatorItem> <IndicatorItem id="57ae3129-905d-4e92-b377-b96bd539ae84" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a99e06e2f90db4e506ef1347a8774dd5</Content> <Comment>svchost.exe</Comment> </IndicatorItem> <IndicatorItem id="2a3b7d04-9696-444c-b1ac-c2661327b87f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ab208f0b517ba9850f1551c9555b5313</Content> <Comment>cat_5.exe</Comment> </IndicatorItem> <IndicatorItem id="8ab89f41-c82d-49d3-a4bd-97c01be38ff4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ad3cccbe9ddff04b670d353b938f5da9</Content> <Comment>setup.exe</Comment> </IndicatorItem> <IndicatorItem id="b269a41a-09b6-4e11-b395-3a84a69ab486" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">af2745e8888f2ba17a9cf2e0779d3874</Content> </IndicatorItem> <IndicatorItem id="58f6187b-36c7-452f-82c5-dd649f81aab9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b145e4d19f5ecfaad45c795aee69c8dc</Content> <Comment>1.exe</Comment> </IndicatorItem> <IndicatorItem id="bb9dd9d0-794e-47aa-9922-d287db0eda13" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b1912db011633d98bc40ac568a4167a7</Content> </IndicatorItem> <IndicatorItem id="9c91f63b-3221-42dc-b68f-a8a9637526c0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b1ff1ef983a1aee3a395788ec441d006</Content> <Comment>rasautoe.dll</Comment> </IndicatorItem> <IndicatorItem id="8555081f-f434-44c9-8704-682ffb833118" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b3bc979d8de3be09728c5de1a0297c4b</Content> <Comment>rasauto32.dll</Comment> </IndicatorItem> <IndicatorItem id="9e9b3fc8-dca1-4b8d-97b8-2f934db54bfc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b5e9ce72771217680efaeecfafe3da3f</Content> </IndicatorItem> <IndicatorItem id="86127e61-8b13-43b4-be1a-55cdcb39ec21" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b8f61242e28f2edf6cb1be8781438491</Content> <Comment>ose.exe submarine.exe</Comment> </IndicatorItem> <IndicatorItem id="5b4e926d-04c3-42f5-aecf-b999c6c05848" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ba0c4d3dbf07d407211b5828405a9b91</Content> <Comment>reader_sl.exe</Comment> </IndicatorItem> <IndicatorItem id="48c6cd00-0079-4c5b-a110-1365bf086141" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bc756bb6bf4e7b2058e8dce6ba8b1a79</Content> </IndicatorItem> <IndicatorItem id="ecd8afec-bd5a-4450-9629-5461f89ddd4d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c044715c2626ab515f6c85a21c47c7dd</Content> <Comment>reg.exe</Comment> </IndicatorItem> <IndicatorItem id="2e081c5e-ade1-418e-b529-abca2aabe25a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c30c7fa2eb06fc8c9ebbe955abe26edd</Content> <Comment>cat_6.exe</Comment> </IndicatorItem> <IndicatorItem id="e4cc9324-dfe2-47a6-b7bc-20ca16fa2ee6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c3de028cbc5aa0934008d95689d5f334</Content> <Comment>wmiprvse.exe</Comment> </IndicatorItem> <IndicatorItem id="30c32ef6-bc23-46d8-82a2-726a4ea928d1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c763e041c8e85c195ade90e120338be7</Content> <Comment>1.exe</Comment> </IndicatorItem> <IndicatorItem id="f9d1ec1d-866a-4784-8c86-99fffe93185a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c799e1d25839e1efb2b3d42d6d6efd26</Content> <Comment>svchost.exe</Comment> </IndicatorItem> <IndicatorItem id="d55f6ff6-48ad-4328-b663-dc2c6da7641f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cc17fe9f2d254ad28d050bf5c1df983d</Content> <Comment>wmdmpmsn.dll</Comment> </IndicatorItem> <IndicatorItem id="79268e88-068f-4cdd-9ff6-c082e547ec53" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ccfb7a84bb87cc8f86ddd260ad38ed5b</Content> <Comment>cat4.exe</Comment> </IndicatorItem> <IndicatorItem id="9afbad71-cb40-4d0c-b6ae-46cadb3db781" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cd2102c5db1ed828a9c196448c40af3e</Content> <Comment>rasauto32.dll</Comment> </IndicatorItem> <IndicatorItem id="2588b066-a161-44d4-902b-62ef027e37bd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cd677f9ede43b4b86b421db249c0e020</Content> <Comment>1.dll</Comment> </IndicatorItem> <IndicatorItem id="cf4f20e4-6bb5-4a81-ad07-7de57b0d4180" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d47b04327157fb188c0e81886e346c48</Content> <Comment>rasautoe.dll</Comment> </IndicatorItem> <IndicatorItem id="0a1e6213-3002-4ec0-a4e6-d6b429d3b69b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d52f35c4c9dbda4c94164291df8a2724</Content> <Comment>cat.exe</Comment> </IndicatorItem> <IndicatorItem id="3b9b8c92-5f09-4e1b-afe7-df0294ba9686" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e0fc0fae758d7c6091cdb11d5ef98e0e</Content> <Comment>cat_7.exe</Comment> </IndicatorItem> <IndicatorItem id="dc7e7a14-05fc-41f5-9675-b6c6eb1552d2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e54ce5f0112c9fdfe86db17e85a5e2c5</Content> </IndicatorItem> <IndicatorItem id="f4c09e1d-7087-47c6-90a1-eceae9d82ad2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e56e4b20ef6dc09d29be49481bd29561</Content> <Comment>mm.exe</Comment> </IndicatorItem> <IndicatorItem id="b213c45c-ffd2-4475-a260-5e4438bb7d07" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e65c0b3f4dd2f3c9f728077ed1e48f7e</Content> <Comment>1.exe</Comment> </IndicatorItem> <IndicatorItem id="e17f6723-f44f-42ce-9463-12675262ab9e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e83f60fb0e0396ea309faf0aed64e53f</Content> </IndicatorItem> <IndicatorItem id="c96f2ec0-0741-4309-b7a0-d3c402b9b28f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ecf900c9d743631b59442240ac4ce9da</Content> <Comment>wmpnetwk.exe</Comment> </IndicatorItem> <IndicatorItem id="04fbd074-b06b-4f5b-9437-d6f0b0f3b230" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f4ed3b7a8a58453052db4b5be3707342</Content> </IndicatorItem> <IndicatorItem id="7ed3aec7-4da9-4abd-af8f-614d0053aa9c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f8892c6dacbf7ac756abb361e48bbc82</Content> <Comment>cat_7.exe</Comment> </IndicatorItem> <IndicatorItem id="0713088c-194b-4cc1-a491-ed154bf82d92" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f904ea9bc8e2d7ce13a6007183da5957</Content> <Comment>cat_6.exe</Comment> </IndicatorItem> <IndicatorItem id="fac0b607-932f-404a-96e0-69b19a1f6399" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fab6b0b33d59f393e142000f128a9652</Content> </IndicatorItem> <IndicatorItem id="4d9d2497-c5ae-45d0-bb53-f6bd171de802" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fae6eaf695af058af4b8dfee0709bf51</Content> <Comment>updater.exe</Comment> </IndicatorItem> <IndicatorItem id="6a0fec6b-6e86-4d0e-a7b4-74d5fa99fdd6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fc9d20d555a88fc827f3a2bfec4dfa36</Content> </IndicatorItem> <IndicatorItem id="eb90e9a9-70ab-44b3-b34f-5140172354c4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ff085d421518772ce2df75282363279f</Content> <Comment>wmdmpmsn.dll</Comment> </IndicatorItem> <IndicatorItem id="6bdbb07f-5f6e-4806-b78c-b3d73f92b911" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ff2d1edbcaf04e8a02dc61fc225e2b91</Content> </IndicatorItem> <IndicatorItem id="8f98bd19-023d-43e1-8899-49977d7080f5" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Shell started fail!</Content> <Comment>hardcoded strings found in most variants of this malware family.</Comment> </IndicatorItem> <IndicatorItem id="aa52dd4a-dd21-46ab-a4f4-517e44725306" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Totally %d volumes found.</Content> <Comment>hardcoded strings found in most variants of this malware family.</Comment> </IndicatorItem> <Indicator operator="AND" id="c2f31e25-cb56-4f34-99a0-514ea9014119"> <Indicator operator="OR" id="43a988bd-6eb5-42bc-a501-d20ce872a28e"> <IndicatorItem id="f182b0d0-f9d4-421c-bde7-e0427f0beea3" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">13312</Content> </IndicatorItem> <IndicatorItem id="33fb6f35-7e9e-4453-9f16-dc4371893d1d" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">14336</Content> </IndicatorItem> <IndicatorItem id="446de80d-55b4-43f7-a123-e1db1058bc9c" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">14848</Content> </IndicatorItem> <IndicatorItem id="dc38792a-69ad-44bf-89c0-f45452609235" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">15872</Content> </IndicatorItem> <IndicatorItem id="ad1165f3-4a6e-4d70-bdd3-d09b263abd22" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">16384</Content> </IndicatorItem> <IndicatorItem id="088967e0-f8cc-47a8-b8a1-d597581ba44a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">16896</Content> </IndicatorItem> <IndicatorItem id="2f58f03c-388f-431e-8205-d1f06d859caa" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">17408</Content> </IndicatorItem> <IndicatorItem id="b04ad4fe-6bbc-4f51-924b-cc770f52f2cc" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">18432</Content> </IndicatorItem> <IndicatorItem id="b3dd9dac-18f4-4cf2-9766-0fc8341604ba" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">18433</Content> </IndicatorItem> <IndicatorItem id="6730ced8-9060-44cb-8b72-7036cf5e3ad8" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">18944</Content> </IndicatorItem> <IndicatorItem id="deee105c-12d9-4cca-8bc6-7b681753f050" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">19968</Content> </IndicatorItem> <IndicatorItem id="d4a19b79-a3a6-4e67-907c-4fea87ae4f2f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">20480</Content> </IndicatorItem> <IndicatorItem id="c8825928-db80-47ac-9755-e3c05acbb2fc" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">20712</Content> </IndicatorItem> <IndicatorItem id="313b9bab-caf4-48b2-9dcd-b9b018f2ca5c" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">22016</Content> </IndicatorItem> <IndicatorItem id="262cfae5-c684-40bf-b777-5cd4799dcfc9" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">22528</Content> </IndicatorItem> <IndicatorItem id="dfecc66f-e6d8-49ce-b21a-b0fa6f917008" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">78848</Content> </IndicatorItem> <IndicatorItem id="94f66886-459b-430d-90de-7f0a8a81c257" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">81920</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="d3e1a9a7-b519-46cf-814b-9183e892889f"> <IndicatorItem id="aca8aa51-a223-40ab-8329-f1845a846ca0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-02-05T07:14:01Z</Content> </IndicatorItem> <IndicatorItem id="886415c2-623d-40bb-b324-b880fb4d1dab" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-02-05T07:16:28Z</Content> </IndicatorItem> <IndicatorItem id="f783f0ee-82e9-4752-b392-efbd3120ad98" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-02-05T07:20:22Z</Content> </IndicatorItem> <IndicatorItem id="db07a6d3-0cbb-4dca-a49a-83b598215c01" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-02-05T07:25:02Z</Content> </IndicatorItem> <IndicatorItem id="94926b82-e2d1-4af9-a4d0-dd56283a2d53" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-08-18T07:22:03Z</Content> </IndicatorItem> <IndicatorItem id="a828169a-b40a-42bc-8be0-7a73461ea47f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-05-20T07:01:21Z</Content> </IndicatorItem> <IndicatorItem id="a340c536-131a-4b82-9c17-ab9256120b7a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-10-21T06:51:09Z</Content> </IndicatorItem> <IndicatorItem id="52ff7f5b-b18d-46c7-beec-e4ff4ca1b40b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-17T13:37:00Z</Content> </IndicatorItem> <IndicatorItem id="01ff1530-4688-471a-984d-58e9fcefb82a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-31T13:45:26Z</Content> </IndicatorItem> <IndicatorItem id="cf0dcd37-f55d-4b8e-9310-944ab627f3de" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-04-02T09:07:51Z</Content> </IndicatorItem> <IndicatorItem id="52578931-211e-4c14-89de-3351ba97eae3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-09T01:37:23Z</Content> </IndicatorItem> <IndicatorItem id="08b40441-1179-4a43-a19c-84225cbd4e9b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-09T02:14:33Z</Content> </IndicatorItem> <IndicatorItem id="587379ba-23fa-4399-a47d-1e8a9abac22d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-09T02:20:47Z</Content> </IndicatorItem> <IndicatorItem id="036e3e8a-21ed-43d1-bead-639723eb5250" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-19T02:34:16Z</Content> </IndicatorItem> <IndicatorItem id="03d9dd67-e0e0-4282-8e0a-7e97c2b787f3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-14T08:42:16Z</Content> </IndicatorItem> <IndicatorItem id="5fc14e27-5c2d-400d-a041-d3f9a351efb3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-14T11:58:04Z</Content> </IndicatorItem> <IndicatorItem id="e2eba2bf-9d47-4c20-aaa9-f2cc2d2b7dde" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-31T14:30:39Z</Content> </IndicatorItem> <IndicatorItem id="b68a4775-fbbd-4460-aaac-99574efa6259" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-09T03:26:25Z</Content> </IndicatorItem> <IndicatorItem id="a3d59d13-245e-4138-841b-e6717cca81f0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-09T07:31:11Z</Content> </IndicatorItem> <IndicatorItem id="672bc832-720b-4555-8e57-9b7d04dfaa69" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-17T07:22:44Z</Content> </IndicatorItem> <IndicatorItem id="e2a510e4-730b-4a3a-9309-e5bb485ceda4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-17T07:43:50Z</Content> </IndicatorItem> <IndicatorItem id="7e4e361a-2b41-4352-9e59-6dd9b9451bb0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-22T08:10:30Z</Content> </IndicatorItem> <IndicatorItem id="3867dff7-15d9-448f-b4cd-7305b8bbc37f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-28T01:50:55Z</Content> </IndicatorItem> <IndicatorItem id="5aa85a39-c0af-465a-843a-257fd5b6c585" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-28T15:39:00Z</Content> </IndicatorItem> <IndicatorItem id="f282192c-e23c-4c24-a18a-92553cad4e17" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-21T07:25:02Z</Content> </IndicatorItem> <IndicatorItem id="5fcf6eda-d58c-4ed0-a97e-80a5c9393a78" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-21T09:32:12Z</Content> </IndicatorItem> <IndicatorItem id="5bd61fb0-a61d-465d-bbec-22e606c97254" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-21T10:48:56Z</Content> </IndicatorItem> <IndicatorItem id="19d1c945-f06d-4858-8c90-c19a5cf6059d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-26T02:57:58Z</Content> </IndicatorItem> <IndicatorItem id="be478e8d-6e76-427b-b19e-4cbc7f9b9459" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-26T03:30:05Z</Content> </IndicatorItem> <IndicatorItem id="63359ec3-c1c1-4217-a698-1500bbac1937" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-26T03:47:43Z</Content> </IndicatorItem> <IndicatorItem id="e486cb73-c290-4099-aefd-52650bd425b6" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-09-03T03:38:15Z</Content> </IndicatorItem> <IndicatorItem id="528d6d2b-6bfe-4cbe-a1d7-7fa4d2304fc8" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-11-16T07:35:22Z</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="df558a55-379d-4ded-86d5-3a8d74adb0d1"> <IndicatorItem id="5c088198-0b7a-4eab-bd26-3591ab2d9ff0" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">1.dll</Content> </IndicatorItem> <IndicatorItem id="5f85346b-8124-4f38-8af7-f7ecb05db34e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">1.exe</Content> </IndicatorItem> <IndicatorItem id="f2e7493a-a858-4d38-bb8f-cb51725d7197" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">2.dll</Content> </IndicatorItem> <IndicatorItem id="ae032710-5891-4588-b255-ec1bcf04d227" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">4.exe</Content> </IndicatorItem> <IndicatorItem id="90181041-7e54-4d69-8305-3b1db1feaf13" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">a1.dll</Content> </IndicatorItem> <IndicatorItem id="5147aced-2af6-4b61-9db9-9842cb4692a7" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">appmgmt.dll</Content> </IndicatorItem> <IndicatorItem id="00676dcf-c5cb-4918-9b9d-6ee12587bf6f" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cat_3.exe</Content> </IndicatorItem> <IndicatorItem id="6e0f4f57-9b9f-4adf-b34e-2cf20db7955a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cat_5.exe</Content> </IndicatorItem> <IndicatorItem id="c847c5ba-6bd5-4692-8651-077f72771891" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cat_6.exe</Content> </IndicatorItem> <IndicatorItem id="ca84737a-e426-43d7-a145-7a8778a57353" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cat_7.exe</Content> </IndicatorItem> <IndicatorItem id="817ecb8f-d922-41d1-8da1-c01d4a4f272c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cat.exe</Content> </IndicatorItem> <IndicatorItem id="78215b3b-52b0-4720-886d-a416312c4236" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cat3.exe</Content> </IndicatorItem> <IndicatorItem id="10b1ba03-b276-4295-8c03-b17be46d3485" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cat4.exe</Content> </IndicatorItem> <IndicatorItem id="e58150ca-8af3-4b2b-9659-7351a42cb26c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cisvc.exe</Content> </IndicatorItem> <IndicatorItem id="19a33044-b55b-4b13-ba16-82faddbfad8b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cnn.exe</Content> </IndicatorItem> <IndicatorItem id="0f112a97-c7cd-447f-bf38-2f3b3a5a14e6" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">gaemm.exe</Content> </IndicatorItem> <IndicatorItem id="86677460-02a8-4ab5-b707-11bf120664af" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">green.exe</Content> </IndicatorItem> <IndicatorItem id="104e8295-9b63-4595-90ea-d0cd9a18d93c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">hkcmd.exe</Content> </IndicatorItem> <IndicatorItem id="a115f280-dc6c-4aab-8fc4-f640ebf7a599" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">iexplore.exe</Content> </IndicatorItem> <IndicatorItem id="62ffa38b-9aab-4b6c-890e-5ac830ebd648" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ks.dll</Content> </IndicatorItem> <IndicatorItem id="111eb85c-83ea-4427-a8c9-ea9ad705bfa9" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ks.exe</Content> </IndicatorItem> <IndicatorItem id="ddfc26c5-69c1-4ad4-9290-28da46bd2a7b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">mm.exe</Content> </IndicatorItem> <IndicatorItem id="45f9c1d9-1a20-4289-b3e4-72035cc5f54d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">OSE.EXE</Content> </IndicatorItem> <IndicatorItem id="526c052f-dd62-4a18-a752-0ec9465a452c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">rasauto32.dll</Content> </IndicatorItem> <IndicatorItem id="81542abd-8975-47bd-ab2a-657b2fb140fa" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">rasautoe.dll</Content> </IndicatorItem> <IndicatorItem id="4b915b30-cf6d-46bc-b5b2-5351595ad4af" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">rasuto.dll</Content> </IndicatorItem> <IndicatorItem id="c0da7416-a51a-44f3-a64c-abcbdf00b8b4" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">reader_sl.exe</Content> </IndicatorItem> <IndicatorItem id="38828ede-349a-40d9-961f-bed923058774" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">reg.exe</Content> </IndicatorItem> <IndicatorItem id="dedc26f8-efce-45e0-80c5-b1ed8a00cd89" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">setup.exe</Content> </IndicatorItem> <IndicatorItem id="11534ab5-3378-4741-b68b-478e0a28fc15" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">smagent.exe</Content> </IndicatorItem> <IndicatorItem id="22b5f861-72fb-4fa5-a0b1-1693fc0f191d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">sound.exe</Content> </IndicatorItem> <IndicatorItem id="f39f176a-4b56-4be2-a179-8c89961c9683" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">soundmax.exe</Content> </IndicatorItem> <IndicatorItem id="5e398c96-f8d9-4d5f-9753-f416d5e8ae49" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">spoolsv.exe</Content> </IndicatorItem> <IndicatorItem id="20e50cd6-96c3-41d8-9adc-2292fa4bdc7b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">SUBMARINE.EXE</Content> </IndicatorItem> <IndicatorItem id="80667694-eb92-41a9-9165-6ed899daf12f" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <IndicatorItem id="758e4343-da6a-4027-aeb3-e6c8dd5c4cff" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">updater.exe</Content> </IndicatorItem> <IndicatorItem id="398ce8b3-2b65-443c-9063-6552f05cfb2f" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">us.exe</Content> </IndicatorItem> <IndicatorItem id="121b193a-987d-44ee-81f1-05c6cf4ea96f" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wmdmpmsn.dll</Content> </IndicatorItem> <IndicatorItem id="5a0f7b94-948e-4299-be06-823550dd1b33" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wmiprvse.exe</Content> </IndicatorItem> <IndicatorItem id="bc8911a3-2177-4c1a-850a-478b34ac2fe4" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wmpnetwk.exe</Content> </IndicatorItem> <IndicatorItem id="935eb617-dec2-4ba9-9aa5-cf2a42c30722" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wuauclt.exe</Content> </IndicatorItem> <IndicatorItem id="8b9e7dbf-c817-4807-bff6-bdf646120e0c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">dating.dll</Content> </IndicatorItem> <IndicatorItem id="f3678b88-9342-45c7-b7fa-b44979617005" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">shop.exe</Content> </IndicatorItem> <IndicatorItem id="55dec592-caaf-426b-9fcf-219e50b3a013" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">engineose.exe</Content> </IndicatorItem> <IndicatorItem id="f40fc85a-9081-409c-bb85-2c60cd1b27e3" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>anomaly found in some variants of this malware family</Comment> </IndicatorItem> <IndicatorItem id="4166b560-dd02-4d08-9074-b28749ced2f5" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>anomaly found in most variants of this malware family</Comment> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="9f152ffb-afc3-404e-a038-350585bbf92b"> <IndicatorItem id="7a01cc6b-b5ab-4790-a5d4-87b2fdf5428c" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir"/> <Content type="string">Mutant</Content> </IndicatorItem> <Indicator operator="OR" id="c0710194-482e-4a16-9f73-a19cf0313212"> <IndicatorItem id="2d8255d2-641a-4761-a6a5-771bd74344eb" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">ADR32</Content> <Comment>mutex created by some variants of this family</Comment> </IndicatorItem> <IndicatorItem id="25da2178-8ba7-43f0-bfbf-ec6184930dd9" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">ADR64</Content> <Comment>mutex created by some variants of this family</Comment> </IndicatorItem> <IndicatorItem id="19cb7aea-26cb-41b7-afd7-356606ca4434" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">AdobeReaderX</Content> <Comment>mutex created by some variants of this family</Comment> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="2bf622df-ca79-4f3e-9bb5-f38fc70bc2a4"> <IndicatorItem id="e9e4fa0f-9186-4f02-b8d3-412690f80aba" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">ntlmsvc.dll</Content> <Comment>unique set of exports found in about a third of the samples</Comment> </IndicatorItem> <IndicatorItem id="12c7431c-d0f0-4b3c-ae1d-db0622b1c4ec" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">install</Content> <Comment>unique set of exports found in about a third of the samples</Comment> </IndicatorItem> <IndicatorItem id="96cb3701-ae2b-4fba-b108-28f79b1760a2" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">uninstall</Content> <Comment>unique set of exports found in about a third of the samples</Comment> </IndicatorItem> <IndicatorItem id="3a86f589-7791-4ece-9a53-fe3872c814f4" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">servicemain</Content> <Comment>unique set of exports found in about a third of the samples</Comment> </IndicatorItem> <IndicatorItem id="e8b9edd9-a3eb-462f-b8ec-22c0d7625359" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">3</Content> <Comment>unique set of exports found in about a third of the samples</Comment> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-554448f5-8e09-4c72-9dd9-5e2e1047eb33"> <indicator:Title>HELAUTO (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> This family of malware is designed to operate as a service and provides remote command execution and file transfer capabilities to a fixed IP address or domain name. All communication with the C2 server happens over port 443 using SSL. This family can be installed as a service DLL. Some variants allow for uninstallation. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-8a8fadb8-96e5-46da-b874-ba9522968577"/> <cybox:Observable idref="mandiant:observable-96064940-6bcb-43b7-b2a8-dd7671c61f27"/> <cybox:Observable idref="mandiant:observable-09513ce3-4ec5-4070-87b4-6ceecf28d66b"/> <cybox:Observable idref="mandiant:observable-b682a1b6-3efb-40dd-8262-26c99582e34d"/> <cybox:Observable idref="mandiant:observable-f170ec88-3afa-4602-b72b-3b05732b8a59"/> <cybox:Observable idref="mandiant:observable-67bb1f06-e71f-4d6a-8c4d-45d590e25859"/> <cybox:Observable idref="mandiant:observable-e786a178-8f96-4821-8a2f-9aea0b04bd69"/> <cybox:Observable idref="mandiant:observable-9bc2e53d-1fef-44b0-ad66-93329a14b18e"/> <cybox:Observable idref="mandiant:observable-b047a969-9ee5-4c47-b905-3d57dea106a8"/> <cybox:Observable idref="mandiant:observable-86cbbc7b-8373-4483-8cb4-f74d0d316b08"/> <cybox:Observable idref="mandiant:observable-fe1b00c1-9945-4e94-9b8a-da1c14dfd592"/> <cybox:Observable idref="mandiant:observable-4fde81d5-41b6-4e33-a221-d1dd64868f44"/> <cybox:Observable idref="mandiant:observable-21217a83-702c-4696-9328-e9220355868c"/> <cybox:Observable idref="mandiant:observable-a2fa50e8-4165-4f32-9f0e-3fe5f47663c8"/> <cybox:Observable idref="mandiant:observable-93f74395-d7e8-4a5f-9459-75b93dfb5652"/> <cybox:Observable idref="mandiant:observable-4bf1eba4-af8e-4d7d-a794-6337cef6d77b"/> <cybox:Observable idref="mandiant:observable-88fe1d0b-51cc-406e-816d-3d1877d161ab"/> <cybox:Observable idref="mandiant:observable-2f4f9327-0216-44c8-9e53-1d23698caf72"/> <cybox:Observable idref="mandiant:observable-7e923e4e-4ac5-4c6e-8ba0-7ae8bcb2851e"/> <cybox:Observable idref="mandiant:observable-ddfdbf22-1590-4527-b017-224b8a2f24b6"/> <cybox:Observable idref="mandiant:observable-32fcff4b-7c5f-4e34-9783-edb887fe73a5"/> <cybox:Observable idref="mandiant:observable-fa85a793-627a-48ce-91bc-e425c497a932"/> <cybox:Observable idref="mandiant:observable-c125aae2-69c3-4eb7-9293-c24c51d15b1c"/> <cybox:Observable idref="mandiant:observable-75074d1b-d72f-4fb0-bd5f-6eac577a6c63"/> <cybox:Observable idref="mandiant:observable-c6941c3a-15e4-47f3-b81b-74992538f067"/> <cybox:Observable id="mandiant:observable-36858811-aa63-43e8-a397-ee3d462764e9"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-2b9c07e6-ec6b-4484-a4a4-12492f7b9481"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-bc4e6a25-4073-40b9-abb2-ff9697fb2d13"/> <cybox:Observable idref="mandiant:observable-832e2c3f-0f51-46ff-940b-21ce999aef50"/> <cybox:Observable idref="mandiant:observable-a58f5ff2-8dbe-4926-a86f-08b0bf6e24bc"/> <cybox:Observable idref="mandiant:observable-3fc7d896-24f6-4a68-88a4-6b6bbb30284b"/> <cybox:Observable idref="mandiant:observable-e4ec6bc3-ca87-46ed-aa7d-7236e3df15d6"/> <cybox:Observable idref="mandiant:observable-4f7a652e-3392-4c4a-8ee2-301968a34507"/> <cybox:Observable idref="mandiant:observable-8284e473-1c40-4317-88e4-2274a05f8699"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-5ecac869-88d1-468e-b7bc-8ce6263a6407"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-8399140e-d68f-4e6a-bcc1-b1a2866c4bc3"/> <cybox:Observable idref="mandiant:observable-19c390ad-2f2f-40c0-8da5-1bf39de9e31a"/> <cybox:Observable idref="mandiant:observable-b48100bd-5e0c-4d2e-bcfa-448b44abe524"/> <cybox:Observable idref="mandiant:observable-a75807dd-ffca-40c5-86b4-9dcde61a7c6b"/> <cybox:Observable idref="mandiant:observable-af2c684f-d214-4b14-bbba-41682eca0e54"/> <cybox:Observable idref="mandiant:observable-c096ca67-e918-4e0f-b208-782e3a511516"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-71e585ac-078a-4d80-9086-c0c4785e3cb7"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-35fdebd5-e7f5-44dd-a0d6-f4e217da8814"/> <cybox:Observable idref="mandiant:observable-34bf75f7-6bbd-4646-9858-d1e3f5ee4188"/> <cybox:Observable idref="mandiant:observable-16d176ee-fd34-4de9-8bd6-71471e36fc03"/> <cybox:Observable idref="mandiant:observable-590352a7-f3a5-461e-8e21-505d650b2f22"/> <cybox:Observable idref="mandiant:observable-c2d77748-b66a-4d1f-965d-856eb1f22973"/> <cybox:Observable idref="mandiant:observable-a8b83474-9470-466c-961a-06bd8b2bd434"/> <cybox:Observable idref="mandiant:observable-ac064633-5ad5-430e-9860-6c0603308d93"/> <cybox:Observable idref="mandiant:observable-e7e4d3e5-b086-4b23-92c0-3e6aa1032123"/> <cybox:Observable idref="mandiant:observable-ed3723b5-d790-4b78-a409-b5949bc0cf53"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-5a2b9a9f-1577-48e1-96db-a2e48cc3e58e"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-d8b9f7dc-1a88-413e-9968-5091c69c1178"/> <cybox:Observable idref="mandiant:observable-138d69cb-271e-4ba6-b059-352fbdf7efaa"/> <cybox:Observable idref="mandiant:observable-a5a8e2b5-3d88-4363-aa86-7bf57d0c7488"/> <cybox:Observable idref="mandiant:observable-022b41f1-9afe-45d6-af8b-1b157177025d"/> <cybox:Observable idref="mandiant:observable-ecc8fb90-5a68-4963-9b33-03ede415351b"/> <cybox:Observable idref="mandiant:observable-5b4f193e-557f-4224-bb18-cda6555dc52f"/> <cybox:Observable idref="mandiant:observable-9f4be87c-6055-4c18-8579-9bd9f9d051c4"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-3d996e6f-1a80-4dba-819e-797a2412fcce"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-20070b1b-c544-40e4-88b0-fc7533f9bda7"/> <cybox:Observable idref="mandiant:observable-4f356464-9e28-470f-8b4d-67553bdee05c"/> <cybox:Observable idref="mandiant:observable-db01b082-bfca-4493-9a89-c5ea64768065"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-86853fd5-a9c2-480f-af96-521d047d4da2"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-56267a8f-9633-4937-8de4-9085d355b3f2"/> <cybox:Observable idref="mandiant:observable-d5c98410-ee98-458e-a5b6-be970abb3a43"/> <cybox:Observable idref="mandiant:observable-428d8ae8-11ac-41c8-8cf8-e3626f976635"/> <cybox:Observable idref="mandiant:observable-a7ea89f3-847c-444d-b329-f1f93bf43d24"/> <cybox:Observable idref="mandiant:observable-14bf2c6c-2c39-44c8-92ed-caf34aa76456"/> <cybox:Observable idref="mandiant:observable-139fc1a6-e5f8-478f-ac4c-4e5ef4d5d7a7"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="2106f0d2-a260-4277-90ab-edd3455e31fa" last-modified="2013-02-10T13:00:00"> <short_description>HELAUTO (FAMILY)</short_description> <description>This family of malware is designed to operate as a service and provides remote command execution and file transfer capabilities to a fixed IP address or domain name. All communication with the C2 server happens over port 443 using SSL. This family can be installed as a service DLL. Some variants allow for uninstallation.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">HELAUTO</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="554448f5-8e09-4c72-9dd9-5e2e1047eb33"> <IndicatorItem id="8a8fadb8-96e5-46da-b874-ba9522968577" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">50361f8793258b6e883b31269e053ed2</Content> </IndicatorItem> <IndicatorItem id="96064940-6bcb-43b7-b2a8-dd7671c61f27" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3b320b90e024bfa48bda72aa7a82322c</Content> </IndicatorItem> <IndicatorItem id="09513ce3-4ec5-4070-87b4-6ceecf28d66b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">10bb5a8ae053e335fe047cf38db95452</Content> </IndicatorItem> <IndicatorItem id="b682a1b6-3efb-40dd-8262-26c99582e34d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a1b924b8c8fa157ae8775fd86f692053</Content> </IndicatorItem> <IndicatorItem id="f170ec88-3afa-4602-b72b-3b05732b8a59" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2c78d8bb5912d8174042f81197d9b449</Content> </IndicatorItem> <IndicatorItem id="67bb1f06-e71f-4d6a-8c4d-45d590e25859" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f1ad5daacace5d4a7b18a03132ec2716</Content> </IndicatorItem> <IndicatorItem id="e786a178-8f96-4821-8a2f-9aea0b04bd69" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">257258344edad17f689b1c6d14833cbc</Content> </IndicatorItem> <IndicatorItem id="9bc2e53d-1fef-44b0-ad66-93329a14b18e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">98cf219830733fb98fd2a957b7c4b163</Content> </IndicatorItem> <IndicatorItem id="b047a969-9ee5-4c47-b905-3d57dea106a8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">75f37a69664362462ad491741a34f195</Content> </IndicatorItem> <IndicatorItem id="86cbbc7b-8373-4483-8cb4-f74d0d316b08" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dcb90efe7e09d6900242af25aeca7b73</Content> </IndicatorItem> <IndicatorItem id="fe1b00c1-9945-4e94-9b8a-da1c14dfd592" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">62d60a1cd1e7ba73aebc98812e5ac266</Content> </IndicatorItem> <IndicatorItem id="4fde81d5-41b6-4e33-a221-d1dd64868f44" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7ce16b35201d8d35965ec7aeebdc80ff</Content> </IndicatorItem> <IndicatorItem id="21217a83-702c-4696-9328-e9220355868c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b63452ecd2da62f30923a124bcd41b45</Content> </IndicatorItem> <IndicatorItem id="a2fa50e8-4165-4f32-9f0e-3fe5f47663c8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b2599b3078c28a278a3e7cd8b46304da</Content> </IndicatorItem> <IndicatorItem id="93f74395-d7e8-4a5f-9459-75b93dfb5652" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e24e889e826df04f552e0d133548b693</Content> </IndicatorItem> <IndicatorItem id="4bf1eba4-af8e-4d7d-a794-6337cef6d77b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">465b085d3ddd22f63d8f7721ce5736d7</Content> </IndicatorItem> <IndicatorItem id="88fe1d0b-51cc-406e-816d-3d1877d161ab" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">04e83832146034f9797d2e8145413daa</Content> </IndicatorItem> <IndicatorItem id="2f4f9327-0216-44c8-9e53-1d23698caf72" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c2e06531a2e6de3c1b7d18b14af53fdf</Content> </IndicatorItem> <IndicatorItem id="7e923e4e-4ac5-4c6e-8ba0-7ae8bcb2851e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c0a494e643c42a89d5bf718ea274df04</Content> </IndicatorItem> <IndicatorItem id="ddfdbf22-1590-4527-b017-224b8a2f24b6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">da6b0ee7ec735029d1ff4fa863a71de8</Content> </IndicatorItem> <IndicatorItem id="32fcff4b-7c5f-4e34-9783-edb887fe73a5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">33d974011c4b047bf9874a71ba261a11</Content> </IndicatorItem> <IndicatorItem id="fa85a793-627a-48ce-91bc-e425c497a932" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">47e7f92419eb4b98ff4124c3ca11b738</Content> </IndicatorItem> <IndicatorItem id="c125aae2-69c3-4eb7-9293-c24c51d15b1c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">12a410d82a1fc9a8c18b350872e0d465</Content> </IndicatorItem> <IndicatorItem id="75074d1b-d72f-4fb0-bd5f-6eac577a6c63" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ae2dadd85cd97452bb26b2c901d0890</Content> </IndicatorItem> <IndicatorItem id="0c603f6d-9b31-42df-92a9-1ce854a69aa4" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Hello.I am here!</Content> <Comment>Unique C2 communication string in all samples in this family</Comment> </IndicatorItem> <IndicatorItem id="c6941c3a-15e4-47f3-b81b-74992538f067" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\Com\wscntfy.exe</Content> <Comment>wscntfy.exe should live in %WINDIR%\system32. The malware may call another malicious program from %WINDIR%\system32\Com\ which is not the normal location</Comment> </IndicatorItem> <Indicator operator="AND" id="36858811-aa63-43e8-a397-ee3d462764e9"> <Indicator operator="OR" id="2b9c07e6-ec6b-4484-a4a4-12492f7b9481"> <IndicatorItem id="bc4e6a25-4073-40b9-abb2-ff9697fb2d13" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">msiprov.dll</Content> </IndicatorItem> <IndicatorItem id="832e2c3f-0f51-46ff-940b-21ce999aef50" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">mspmsnsv32.dll</Content> </IndicatorItem> <IndicatorItem id="a58f5ff2-8dbe-4926-a86f-08b0bf6e24bc" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <IndicatorItem id="3fc7d896-24f6-4a68-88a4-6b6bbb30284b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">rasauto32.dll</Content> </IndicatorItem> <IndicatorItem id="e4ec6bc3-ca87-46ed-aa7d-7236e3df15d6" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ersvc.dll</Content> </IndicatorItem> <IndicatorItem id="4f7a652e-3392-4c4a-8ee2-301968a34507" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">corrupted_imports</Content> <Comment>PE Header Anomaly identified in 12% samples.</Comment> </IndicatorItem> <IndicatorItem id="8284e473-1c40-4317-88e4-2274a05f8699" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="5ecac869-88d1-468e-b7bc-8ce6263a6407"> <IndicatorItem id="8399140e-d68f-4e6a-bcc1-b1a2866c4bc3" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">10240</Content> </IndicatorItem> <IndicatorItem id="19c390ad-2f2f-40c0-8da5-1bf39de9e31a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">10752</Content> </IndicatorItem> <IndicatorItem id="b48100bd-5e0c-4d2e-bcfa-448b44abe524" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">11264</Content> </IndicatorItem> <IndicatorItem id="a75807dd-ffca-40c5-86b4-9dcde61a7c6b" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">45056</Content> </IndicatorItem> <IndicatorItem id="af2c684f-d214-4b14-bbba-41682eca0e54" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">8704</Content> </IndicatorItem> <IndicatorItem id="c096ca67-e918-4e0f-b208-782e3a511516" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">9728</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="71e585ac-078a-4d80-9086-c0c4785e3cb7"> <IndicatorItem id="35fdebd5-e7f5-44dd-a0d6-f4e217da8814" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-06-16T02:14:07Z</Content> </IndicatorItem> <IndicatorItem id="34bf75f7-6bbd-4646-9858-d1e3f5ee4188" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-06-18T07:24:32Z</Content> </IndicatorItem> <IndicatorItem id="16d176ee-fd34-4de9-8bd6-71471e36fc03" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-09-01T16:22:56Z</Content> </IndicatorItem> <IndicatorItem id="590352a7-f3a5-461e-8e21-505d650b2f22" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-09-16T08:40:03Z</Content> </IndicatorItem> <IndicatorItem id="c2d77748-b66a-4d1f-965d-856eb1f22973" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-09-27T03:15:10Z</Content> </IndicatorItem> <IndicatorItem id="a8b83474-9470-466c-961a-06bd8b2bd434" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-03-24T07:04:57Z</Content> </IndicatorItem> <IndicatorItem id="ac064633-5ad5-430e-9860-6c0603308d93" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-08-21T02:44:28Z</Content> </IndicatorItem> <IndicatorItem id="e7e4d3e5-b086-4b23-92c0-3e6aa1032123" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-04-12T07:28:12Z</Content> </IndicatorItem> <IndicatorItem id="ed3723b5-d790-4b78-a409-b5949bc0cf53" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-04-12T09:09:29Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="5a2b9a9f-1577-48e1-96db-a2e48cc3e58d"> <IndicatorItem id="d8b9f7dc-1a88-413e-9968-5091c69c1178" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">svchostdll.dll</Content> <Comment>representation of malicious DLL used by this family</Comment> </IndicatorItem> <IndicatorItem id="138d69cb-271e-4ba6-b059-352fbdf7efaa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">ServiceMain</Content> <Comment>This block detects consistent characteristics of the DLL Exports of this family</Comment> </IndicatorItem> <IndicatorItem id="a5a8e2b5-3d88-4363-aa86-7bf57d0c7488" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">InstallA</Content> </IndicatorItem> <IndicatorItem id="022b41f1-9afe-45d6-af8b-1b157177025d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">UninstallService</Content> </IndicatorItem> <IndicatorItem id="ecc8fb90-5a68-4963-9b33-03ede415351b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">InstallService</Content> </IndicatorItem> <IndicatorItem id="5b4f193e-557f-4224-bb18-cda6555dc52f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">RemoveA</Content> </IndicatorItem> <IndicatorItem id="9f4be87c-6055-4c18-8579-9bd9f9d051c4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">5</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="3d996e6f-1a80-4dba-819e-797a2412fcce"> <IndicatorItem id="20070b1b-c544-40e4-88b0-fc7533f9bda7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">svchostdll.dll</Content> <Comment>representation of malicious DLL used by this family</Comment> </IndicatorItem> <IndicatorItem id="4f356464-9e28-470f-8b4d-67553bdee05c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">ServiceMain</Content> </IndicatorItem> <IndicatorItem id="db01b082-bfca-4493-9a89-c5ea64768065" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">1</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="86853fd5-a9c2-480f-af96-521d047d4da2"> <IndicatorItem id="56267a8f-9633-4937-8de4-9085d355b3f2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">comhttps.dll</Content> <Comment>representation of malicious DLL used by this family</Comment> </IndicatorItem> <IndicatorItem id="d5c98410-ee98-458e-a5b6-be970abb3a43" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">DllUnregisterServer</Content> </IndicatorItem> <IndicatorItem id="428d8ae8-11ac-41c8-8cf8-e3626f976635" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">DllGetClassObject</Content> </IndicatorItem> <IndicatorItem id="a7ea89f3-847c-444d-b329-f1f93bf43d24" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">DllCanUnloadNow</Content> </IndicatorItem> <IndicatorItem id="14bf2c6c-2c39-44c8-92ed-caf34aa76456" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">DllRegisterServer</Content> </IndicatorItem> <IndicatorItem id="139fc1a6-e5f8-478f-ac4c-4e5ef4d5d7a7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">4</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-36437a22-f0d7-4a48-bec4-153e19045f8d"> <indicator:Title>BOUNCER (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> BOUNCER will load an extracted DLL into memory, and then will call the DLL's dump export. The dump export is called with the parameters passed via the command line to the BOUNCER executable. It requires at least two arguments, the IP and port to send the password dump information. It can accept at most five arguments, including a proxy IP, port and an x.509 key for SSL authentication. The DLL backdoor has the capability to execute arbitrary commands, collect database and server information, brute force SQL login credentials, launch arbitrary programs, create processes and threads, delete files, and redirect network traffic. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-3e297215-861a-4a94-be92-bf2ae19f5065"/> <cybox:Observable idref="mandiant:observable-df4b6821-3b96-4864-b5a8-b1379ee80bb8"/> <cybox:Observable idref="mandiant:observable-3d73fee4-f73b-444d-835d-725a8a0b5da3"/> <cybox:Observable idref="mandiant:observable-322864bd-4a3c-4984-bb39-51da6c8289fb"/> <cybox:Observable idref="mandiant:observable-5782120d-8b59-4fe7-b2a3-2a0e7b784b90"/> <cybox:Observable idref="mandiant:observable-43aea2f9-7628-4e20-a806-0bab8a42187b"/> <cybox:Observable idref="mandiant:observable-a6ae527a-4736-42f6-ad14-fa5a699c92a3"/> <cybox:Observable idref="mandiant:observable-a06d67f2-5d6b-4119-b372-abeb3dc7d86b"/> <cybox:Observable idref="mandiant:observable-902d348a-920e-4ff6-8273-e23f511b3b29"/> <cybox:Observable idref="mandiant:observable-87eb54a8-f79e-453d-be63-59be0cd1e89b"/> <cybox:Observable id="mandiant:observable-b4705169-2c8c-48e3-8701-8ccd887ff169"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-6112d863-22f8-410e-bf85-b7db8db31d16"/> <cybox:Observable id="mandiant:observable-59d26093-4fc0-42e7-83fb-8fd735a494d0"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-3ffa3bbe-9aba-43e5-a666-2bbc257ff4d7"/> <cybox:Observable idref="mandiant:observable-5ead8152-11d7-4bdc-bede-e89a31a6cad7"/> <cybox:Observable idref="mandiant:observable-633c3d70-d0d1-4a51-ac4d-a10347330777"/> <cybox:Observable idref="mandiant:observable-8ae14feb-b1a3-4efd-bc56-4dde8bc4acab"/> <cybox:Observable idref="mandiant:observable-1834b578-a4be-4368-8b16-1ebd1fbad785"/> <cybox:Observable idref="mandiant:observable-ebd1abe7-a473-48ba-8f43-9c132883cc15"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-642a04fa-1136-40e9-8117-8b479bc8775a"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-e8123462-e31b-48f3-bc72-43f2061c5850"/> <cybox:Observable idref="mandiant:observable-0955e2d7-eefb-4653-81c1-fb44041ece9b"/> <cybox:Observable idref="mandiant:observable-198a474b-cd29-445e-b670-900bab9d89fe"/> <cybox:Observable idref="mandiant:observable-3423d033-ef73-47cc-ac49-456452172b5f"/> <cybox:Observable idref="mandiant:observable-84c7d82b-c944-44f5-ae10-33521558866e"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-df06b8c3-6956-4c13-9be9-dd0964f86c6e"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-cc9ba9e2-bb3f-4645-b767-6a86f33433f2"/> <cybox:Observable idref="mandiant:observable-cca8138c-efa2-4e49-9296-a27fffa4f379"/> <cybox:Observable idref="mandiant:observable-f6e29a86-ebd9-484c-9445-b6879146facf"/> <cybox:Observable idref="mandiant:observable-1e3246bf-6226-44c1-9739-bd53c5ed47c3"/> <cybox:Observable idref="mandiant:observable-87007f79-881f-4fee-a54a-6f9bf854422c"/> <cybox:Observable idref="mandiant:observable-128fa1b4-9034-4ccf-909f-e17f73532284"/> <cybox:Observable idref="mandiant:observable-7834fd6a-84a4-4885-ba74-0b2d7df12659"/> <cybox:Observable idref="mandiant:observable-7da7bff8-68f7-4234-92da-c3c509e883af"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-57fccf30-1499-4094-b84c-275c645d5a41"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-293506cc-415b-468e-b9e2-3852d474652b"/> <cybox:Observable idref="mandiant:observable-fdec4448-5911-4572-a95a-cf61e3c0f9c2"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="26213db6-9d3b-4a39-abeb-73656acb913e" last-modified="2013-02-10T13:00:00"> <short_description>BOUNCER (FAMILY)</short_description> <description>BOUNCER will load an extracted DLL into memory, and then will call the DLL's dump export. The dump export is called with the parameters passed via the command line to the BOUNCER executable. It requires at least two arguments, the IP and port to send the password dump information. It can accept at most five arguments, including a proxy IP, port and an x.509 key for SSL authentication. The DLL backdoor has the capability to execute arbitrary commands, collect database and server information, brute force SQL login credentials, launch arbitrary programs, create processes and threads, delete files, and redirect network traffic.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">BOUNCER</link> </links> <definition> <Indicator operator="OR" id="36437a22-f0d7-4a48-bec4-153e19045f8d"> <IndicatorItem id="3e297215-861a-4a94-be92-bf2ae19f5065" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8fdb15f3d5480de78c61ccef23722683</Content> </IndicatorItem> <IndicatorItem id="df4b6821-3b96-4864-b5a8-b1379ee80bb8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">57353ecbaece29ecaf8025231eb930e3</Content> </IndicatorItem> <IndicatorItem id="3d73fee4-f73b-444d-835d-725a8a0b5da3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cf038194f0fe222f31ec24cb80941bb1</Content> </IndicatorItem> <IndicatorItem id="322864bd-4a3c-4984-bb39-51da6c8289fb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f90da15f862bb8452fc51d3f0dbb3373</Content> </IndicatorItem> <IndicatorItem id="5782120d-8b59-4fe7-b2a3-2a0e7b784b90" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6deae79fc82df523ba99852266a33f9e</Content> </IndicatorItem> <IndicatorItem id="43aea2f9-7628-4e20-a806-0bab8a42187b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6ebd05a02459d3b22a9d4a79b8626bf1</Content> </IndicatorItem> <IndicatorItem id="a6ae527a-4736-42f6-ad14-fa5a699c92a3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d2f1be7e10ed39aa8bc0f7f671d824d2</Content> </IndicatorItem> <IndicatorItem id="a06d67f2-5d6b-4119-b372-abeb3dc7d86b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5d5c39ba59c32ebcd6c02f238521a060</Content> </IndicatorItem> <IndicatorItem id="902d348a-920e-4ff6-8273-e23f511b3b29" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">gw.dat</Content> </IndicatorItem> <IndicatorItem id="87eb54a8-f79e-453d-be63-59be0cd1e89b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">sqlpass.dic</Content> </IndicatorItem> <Indicator operator="AND" id="b4705169-2c8c-48e3-8701-8ccd887ff169"> <IndicatorItem id="6112d863-22f8-410e-bf85-b7db8db31d16" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <Indicator operator="OR" id="59d26093-4fc0-42e7-83fb-8fd735a494d0"> <IndicatorItem id="3ffa3bbe-9aba-43e5-a666-2bbc257ff4d7" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">a.dat</Content> </IndicatorItem> <IndicatorItem id="5ead8152-11d7-4bdc-bede-e89a31a6cad7" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">1.exe</Content> </IndicatorItem> <IndicatorItem id="633c3d70-d0d1-4a51-ac4d-a10347330777" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ctfmon.exe</Content> </IndicatorItem> <IndicatorItem id="8ae14feb-b1a3-4efd-bc56-4dde8bc4acab" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Del16A4.tmp</Content> </IndicatorItem> <IndicatorItem id="1834b578-a4be-4368-8b16-1ebd1fbad785" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">client.exe</Content> </IndicatorItem> <IndicatorItem id="ebd1abe7-a473-48ba-8f43-9c132883cc15" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">oversized_section</Content> <Comment>PE Header Anomaly identified in 12% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="642a04fa-1136-40e9-8117-8b479bc8775a"> <IndicatorItem id="e8123462-e31b-48f3-bc72-43f2061c5850" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">32768</Content> </IndicatorItem> <IndicatorItem id="0955e2d7-eefb-4653-81c1-fb44041ece9b" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">475136</Content> </IndicatorItem> <IndicatorItem id="198a474b-cd29-445e-b670-900bab9d89fe" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">57344</Content> </IndicatorItem> <IndicatorItem id="3423d033-ef73-47cc-ac49-456452172b5f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">61440</Content> </IndicatorItem> <IndicatorItem id="84c7d82b-c944-44f5-ae10-33521558866e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">81920</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="df06b8c3-6956-4c13-9be9-dd0964f86c6e"> <IndicatorItem id="cc9ba9e2-bb3f-4645-b767-6a86f33433f2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-08-25T02:25:14Z</Content> </IndicatorItem> <IndicatorItem id="cca8138c-efa2-4e49-9296-a27fffa4f379" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-02-21T13:18:49Z</Content> </IndicatorItem> <IndicatorItem id="f6e29a86-ebd9-484c-9445-b6879146facf" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-02-21T13:25:59Z</Content> </IndicatorItem> <IndicatorItem id="1e3246bf-6226-44c1-9739-bd53c5ed47c3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-12-19T12:17:08Z</Content> </IndicatorItem> <IndicatorItem id="87007f79-881f-4fee-a54a-6f9bf854422c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-12-20T02:23:38Z</Content> </IndicatorItem> <IndicatorItem id="128fa1b4-9034-4ccf-909f-e17f73532284" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-01-19T00:50:11Z</Content> </IndicatorItem> <IndicatorItem id="7834fd6a-84a4-4885-ba74-0b2d7df12659" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-07T08:41:30Z</Content> </IndicatorItem> <IndicatorItem id="7da7bff8-68f7-4234-92da-c3c509e883af" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-04-21T06:49:52Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="57fccf30-1499-4094-b84c-275c645d5a41"> <IndicatorItem id="293506cc-415b-468e-b9e2-3852d474652b" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Name" type="mir"/> <Content type="string">IDR_DATA0</Content> </IndicatorItem> <IndicatorItem id="fdec4448-5911-4572-a95a-cf61e3c0f9c2" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Language" type="mir"/> <Content type="string">Chinese (Simplified, PRC)</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-dc2eb534-d2c4-421c-89d0-9bc6762009c5"> <indicator:Title>LONGRUN (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> LONGRUN is a backdoor designed to communicate with a hard-coded IP address and provide the attackers with a custom interactive shell. It supports file uploads and downloads, and executing arbitrary commands on the compromised machine. When LONGRUN executes, it first loads configuration data stored as an obfuscated string inside the PE resource section. The distinctive string thequickbrownfxjmpsvalzydg is used as part of the input to the decoding algorithm. When the configuration data string is decoded it is parsed and treated as an IP and port number. The malware then connects to the host and begins interacting with it over a custom protocol. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-fab392cc-1376-46ec-8e2c-4fa4e704869d"/> <cybox:Observable id="mandiant:observable-68e3306a-7111-4a61-be2b-1d6cf21e621d"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-4ba6db3f-ca2d-46ce-8a75-eaba4b20a2bf"/> <cybox:Observable idref="mandiant:observable-73990b98-2df1-40ac-ab89-8d805e2a67bf"/> <cybox:Observable id="mandiant:observable-2198f709-9362-4dff-9bff-bbeee1dbe5f7"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-4f469a10-6cd2-486f-8b81-0b0156c1888b"/> <cybox:Observable idref="mandiant:observable-98aa4299-4820-4d53-bb52-236ea8855aac"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-ad486401-fd01-42af-ba50-5f349c2642ba"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-30a990db-845c-4cbf-80b9-8b7b2386d7c1"/> <cybox:Observable idref="mandiant:observable-65ef6c0b-c2ef-4a30-8c7a-5530150de278"/> <cybox:Observable idref="mandiant:observable-08bb5155-f98e-4175-ba30-6c408c107d1a"/> <cybox:Observable idref="mandiant:observable-f7a71182-00a1-4f8a-847f-041d74a8cf7e"/> <cybox:Observable idref="mandiant:observable-b6630e04-d583-4c87-8933-368b8c768cdd"/> <cybox:Observable idref="mandiant:observable-f62eda54-fc09-4bf7-8943-63e9cf0dd87f"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="2bff223f-9e46-47a7-ac35-d35f8138a4c7" last-modified="2013-02-10T13:00:00"> <short_description>LONGRUN (FAMILY)</short_description> <description>LONGRUN is a backdoor designed to communicate with a hard-coded IP address and provide the attackers with a custom interactive shell. It supports file uploads and downloads, and executing arbitrary commands on the compromised machine. When LONGRUN executes, it first loads configuration data stored as an obfuscated string inside the PE resource section. The distinctive string thequickbrownfxjmpsvalzydg is used as part of the input to the decoding algorithm. When the configuration data string is decoded it is parsed and treated as an IP and port number. The malware then connects to the host and begins interacting with it over a custom protocol.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">LONGRUN</link> </links> <definition> <Indicator operator="OR" id="dc2eb534-d2c4-421c-89d0-9bc6762009c5"> <IndicatorItem id="fab392cc-1376-46ec-8e2c-4fa4e704869d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">82b065518f085c6ceb0a9135ab51df41</Content> </IndicatorItem> <IndicatorItem id="97990556-c710-44fb-9fab-6c5fa53eb4af" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">thequickbrownfxjmpsvalzydg</Content> </IndicatorItem> <IndicatorItem id="6f492fb4-d7b2-40ca-918a-d7e16b5f4545" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)</Content> </IndicatorItem> <Indicator operator="AND" id="68e3306a-7111-4a61-be2b-1d6cf21e621d"> <IndicatorItem id="4ba6db3f-ca2d-46ce-8a75-eaba4b20a2bf" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <IndicatorItem id="73990b98-2df1-40ac-ab89-8d805e2a67bf" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">12800</Content> </IndicatorItem> <Indicator operator="OR" id="2198f709-9362-4dff-9bff-bbeee1dbe5f7"> <IndicatorItem id="4f469a10-6cd2-486f-8b81-0b0156c1888b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update.exe</Content> </IndicatorItem> <IndicatorItem id="98aa4299-4820-4d53-bb52-236ea8855aac" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-05-11T01:52:46Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="ad486401-fd01-42af-ba50-5f349c2642ba"> <IndicatorItem id="30a990db-845c-4cbf-80b9-8b7b2386d7c1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright" type="mir"/> <Content type="string">Copyright ? 2008</Content> <Comment>The question mark is in the copyright string</Comment> </IndicatorItem> <IndicatorItem id="65ef6c0b-c2ef-4a30-8c7a-5530150de278" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir"/> <Content type="string">ActiveX</Content> </IndicatorItem> <IndicatorItem id="08bb5155-f98e-4175-ba30-6c408c107d1a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileVersion" type="mir"/> <Content type="string">1, 0, 0, 1</Content> </IndicatorItem> <IndicatorItem id="f7a71182-00a1-4f8a-847f-041d74a8cf7e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName" type="mir"/> <Content type="string">MicroSoft Corporation</Content> </IndicatorItem> <IndicatorItem id="b6630e04-d583-4c87-8933-368b8c768cdd" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName" type="mir"/> <Content type="string">MicroSoft Corporation ActiveX</Content> </IndicatorItem> <IndicatorItem id="f62eda54-fc09-4bf7-8943-63e9cf0dd87f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">ActiveX.exe</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-2322085d-c557-4278-affc-633be5f36fe5"> <indicator:Title>WEBC2-BOLID (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is a backdoor capable of downloading files and updating its configuration. Communication with the command and control (C2) server uses a combination of single-byte XOR and Base64 encoded data wrapped in standard HTML tags. The malware family installs a registry key as a persistence mechanism. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-c9f171c0-75d7-4378-beb7-4a6fa6716b18"/> <cybox:Observable idref="mandiant:observable-5b56e6a4-3d35-447c-967a-585833c67377"/> <cybox:Observable idref="mandiant:observable-044450c1-d0c9-4034-b50a-695ea872f81f"/> <cybox:Observable idref="mandiant:observable-9728541d-9905-4a02-8d45-89dc97f5cbcb"/> <cybox:Observable idref="mandiant:observable-2a058aa9-bcff-49d0-b898-63038cf5655e"/> <cybox:Observable idref="mandiant:observable-6db9a6b4-1875-4a3b-a3a4-63a5701e8e8b"/> <cybox:Observable idref="mandiant:observable-e37a42ad-39b9-4ed7-a8ff-b4f8684943ed"/> <cybox:Observable id="mandiant:observable-7ba9acb2-f5bf-4ce7-8856-3cc8245e57e6"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-7f3694b8-d6b7-4d8f-b3d3-d96e84d430b9"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-5a737131-9ed6-4547-91ca-30d5dc566db8"/> <cybox:Observable idref="mandiant:observable-b5a329f6-8fc2-489d-87b8-3449788bc351"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-928bb56d-8c59-423b-9c26-2b74d53d0167"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2415ff42-a418-40b1-8349-ad97ac0b1236"/> <cybox:Observable idref="mandiant:observable-48e392bc-c065-48b0-882e-75fad379fefb"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-5e272482-3508-49f3-a7f5-34144797bfba"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2e22d803-b6c3-4ec7-9e13-5469062c0e38"/> <cybox:Observable idref="mandiant:observable-9fffb9ef-eda3-461f-bf24-b7c8f8013b5c"/> <cybox:Observable idref="mandiant:observable-11c8d961-aaf6-4c39-b5f3-3b9d3045ce3e"/> <cybox:Observable idref="mandiant:observable-4a7d498b-db58-4be5-acb0-921c245b4728"/> <cybox:Observable idref="mandiant:observable-dd7d606f-ffe7-45b6-b8e3-36c8690b0038"/> <cybox:Observable idref="mandiant:observable-b3381a0d-e6ef-4409-b2b0-4baa10e434be"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-28489857-43de-4d8b-b5db-0d2919eb2af1"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-503abed0-b00b-4f4e-94fe-9ebc6abaffdd"/> <cybox:Observable id="mandiant:observable-51833c9d-8b60-49f1-963a-57433af193c6"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-58567037-88d8-4110-8af9-23e7b6f3e7ef"/> <cybox:Observable idref="mandiant:observable-c8897027-e093-481e-82db-87357e11d559"/> <cybox:Observable idref="mandiant:observable-33aa7a58-6dc9-4a8a-855d-edf010502466"/> <cybox:Observable idref="mandiant:observable-3af073a8-52c5-48a7-b9c9-ca4e8916e5e6"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="2fc55747-6822-41d2-bcc1-387fc1b2e67b" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-BOLID (FAMILY)</short_description> <description>A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is a backdoor capable of downloading files and updating its configuration. Communication with the command and control (C2) server uses a combination of single-byte XOR and Base64 encoded data wrapped in standard HTML tags. The malware family installs a registry key as a persistence mechanism.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">WEBC2-BOLID</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="2322085d-c557-4278-affc-633be5f36fe5"> <IndicatorItem id="c9f171c0-75d7-4378-beb7-4a6fa6716b18" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">567395a3c720fcd09eb75b6c188b8687</Content> </IndicatorItem> <IndicatorItem id="5b56e6a4-3d35-447c-967a-585833c67377" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8153b612499dbf432e2d9805b20ae783</Content> </IndicatorItem> <IndicatorItem id="044450c1-d0c9-4034-b50a-695ea872f81f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d8238e950608e5aba3d3e9e83e9ee2cc</Content> </IndicatorItem> <IndicatorItem id="9728541d-9905-4a02-8d45-89dc97f5cbcb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">53b263dd41838aa178a5ced338a207f3</Content> </IndicatorItem> <IndicatorItem id="2a058aa9-bcff-49d0-b898-63038cf5655e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5ff3269faca4a67d1a4c537154aaad4b</Content> </IndicatorItem> <IndicatorItem id="6db9a6b4-1875-4a3b-a3a4-63a5701e8e8b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ea61a0945bde3c6f41e12bc01928d37</Content> </IndicatorItem> <IndicatorItem id="e37a42ad-39b9-4ed7-a8ff-b4f8684943ed" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9675827a495f4ba6a4efd4dd70932b7c</Content> </IndicatorItem> <IndicatorItem id="03fdd2c1-02bc-4676-8354-5ed3c7c4895b" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Q3JlYXRlUHJvY2Vzc0E=</Content> <Comment>a string common to variants of this malware family</Comment> </IndicatorItem> <Indicator operator="AND" id="7ba9acb2-f5bf-4ce7-8856-3cc8245e57e6"> <Indicator operator="OR" id="7f3694b8-d6b7-4d8f-b3d3-d96e84d430b9"> <IndicatorItem id="5a737131-9ed6-4547-91ca-30d5dc566db8" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">32768</Content> </IndicatorItem> <IndicatorItem id="b5a329f6-8fc2-489d-87b8-3449788bc351" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">73728</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="928bb56d-8c59-423b-9c26-2b74d53d0167"> <IndicatorItem id="2415ff42-a418-40b1-8349-ad97ac0b1236" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-07T03:19:17Z</Content> </IndicatorItem> <IndicatorItem id="48e392bc-c065-48b0-882e-75fad379fefb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-28T08:12:40Z</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="5e272482-3508-49f3-a7f5-34144797bfba"> <IndicatorItem id="2e22d803-b6c3-4ec7-9e13-5469062c0e38" condition="contains"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">AcroRd32.exe</Content> </IndicatorItem> <IndicatorItem id="9fffb9ef-eda3-461f-bf24-b7c8f8013b5c" condition="contains"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">hkcmd.exe</Content> </IndicatorItem> <IndicatorItem id="11c8d961-aaf6-4c39-b5f3-3b9d3045ce3e" condition="contains"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <IndicatorItem id="4a7d498b-db58-4be5-acb0-921c245b4728" condition="contains"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">google.exe</Content> </IndicatorItem> <IndicatorItem id="dd7d606f-ffe7-45b6-b8e3-36c8690b0038" condition="contains"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wins.exe</Content> </IndicatorItem> <IndicatorItem id="b3381a0d-e6ef-4409-b2b0-4baa10e434be" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>anomaly detected in some samples</Comment> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="28489857-43de-4d8b-b5db-0d2919eb2af1"> <IndicatorItem id="503abed0-b00b-4f4e-94fe-9ebc6abaffdd" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">Software\Microsoft\Windows\CurrentVersion\Run\load</Content> <Comment>A registry key added for persistence</Comment> </IndicatorItem> <Indicator operator="OR" id="51833c9d-8b60-49f1-963a-57433af193c6"> <IndicatorItem id="58567037-88d8-4110-8af9-23e7b6f3e7ef" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">acrord32.exe</Content> </IndicatorItem> <IndicatorItem id="c8897027-e093-481e-82db-87357e11d559" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">hkcmd.exe</Content> </IndicatorItem> <IndicatorItem id="33aa7a58-6dc9-4a8a-855d-edf010502466" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">wins.exe</Content> </IndicatorItem> <IndicatorItem id="3af073a8-52c5-48a7-b9c9-ca4e8916e5e6" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-be16e289-114e-4f01-bc85-aa72f03a50dc"> <indicator:Title>KURTON (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> This family of malware is a backdoor that tunnels its connection through a preconfigured proxy. The malware communicates with a remote command and control server over HTTPS via the proxy. The malware installs itself as a Windows service with a service name supplied by the attacker but defaults to IPRIP if no service name is provided during install. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-bfacd096-32e2-44de-9e7d-5ff612fcdb22"/> <cybox:Observable idref="mandiant:observable-23be8553-e380-423b-8b55-4e693b9600c8"/> <cybox:Observable idref="mandiant:observable-0b2a758e-7bc2-4b5d-bfe0-f931eb85ef8d"/> <cybox:Observable idref="mandiant:observable-2edba2c3-8ef4-477b-8768-8ff5090f84e4"/> <cybox:Observable id="mandiant:observable-1807545a-0748-466b-b0ff-e26ba04686bd"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-db60146a-eedf-435d-a41c-aa6cbbd19be3"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-a279e61c-f3ff-4778-b395-1659b60c3c16"/> <cybox:Observable idref="mandiant:observable-e4ecdcd4-e23f-4ddd-9b7e-0323a11f6e99"/> <cybox:Observable idref="mandiant:observable-919d592f-238f-44f8-ad0f-a5d81e8aa2e7"/> <cybox:Observable idref="mandiant:observable-539af7eb-87df-4d74-8d25-d56f90413850"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b11c46d-1e5a-4b28-9b2a-5485154baf00"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-a79936cb-12fb-4262-92b0-cea2db4901d7"/> <cybox:Observable idref="mandiant:observable-38e8480a-845d-452d-aef9-3b4eb29ca675"/> <cybox:Observable idref="mandiant:observable-8ed59326-294f-4c1a-aee1-6ef2fa1ee6ca"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-b836f229-1979-4d40-93ad-b9bdf6f26917"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-b220f7cc-74e0-413e-a4f7-550f6937ec5e"/> <cybox:Observable idref="mandiant:observable-a477bfb8-74ce-4ffe-940d-6b5d17430959"/> <cybox:Observable idref="mandiant:observable-9f6c79fb-8a62-4024-8b6d-49563dbfe2a2"/> <cybox:Observable idref="mandiant:observable-4bde46ca-96a1-46ef-9ad1-ba3ee503d463"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-bc9c47b4-a3e7-48f5-a260-442b731e9217"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-0eb42182-ba04-4cf0-b139-9847a52d6698"/> <cybox:Observable idref="mandiant:observable-f41124ad-3629-449f-b6da-bcb4bb52433d"/> <cybox:Observable idref="mandiant:observable-d7b99f36-17cb-4c1b-a0a2-d17507b4104c"/> <cybox:Observable idref="mandiant:observable-eb37ece6-6f30-4dac-a297-910bdc1a334d"/> <cybox:Observable idref="mandiant:observable-0620bee8-aaf8-4747-ac24-5f300d266ac5"/> <cybox:Observable idref="mandiant:observable-53b3e98b-08ed-4b90-8595-dc16dbb2e0c7"/> <cybox:Observable idref="mandiant:observable-ad644aea-2dc8-4768-aa11-731b8ffa54ff"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="32b168e6-dbd6-4d56-ba2f-734553239efe" last-modified="2013-02-10T13:00:00"> <short_description>KURTON (FAMILY)</short_description> <description>This family of malware is a backdoor that tunnels its connection through a preconfigured proxy. The malware communicates with a remote command and control server over HTTPS via the proxy. The malware installs itself as a Windows service with a service name supplied by the attacker but defaults to IPRIP if no service name is provided during install.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">KURTON</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="be16e289-114e-4f01-bc85-aa72f03a50dc"> <IndicatorItem id="bfacd096-32e2-44de-9e7d-5ff612fcdb22" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b1838a6c341260fbdaf288795cc63900</Content> </IndicatorItem> <IndicatorItem id="23be8553-e380-423b-8b55-4e693b9600c8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ff9aa093a37819af65a06046ea0c830c</Content> </IndicatorItem> <IndicatorItem id="0b2a758e-7bc2-4b5d-bfe0-f931eb85ef8d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dc78fd49b7f39fa3bb06b927e8413dd0</Content> </IndicatorItem> <IndicatorItem id="2edba2c3-8ef4-477b-8768-8ff5090f84e4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">57cfef3e32e60df11b8d2c5375f3185c</Content> </IndicatorItem> <Indicator operator="AND" id="1807545a-0748-466b-b0ff-e26ba04686bd"> <Indicator operator="OR" id="db60146a-eedf-435d-a41c-aa6cbbd19be3"> <IndicatorItem id="a279e61c-f3ff-4778-b395-1659b60c3c16" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">nwsapagent.dll</Content> </IndicatorItem> <IndicatorItem id="e4ecdcd4-e23f-4ddd-9b7e-0323a11f6e99" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cclient.exe</Content> </IndicatorItem> <IndicatorItem id="919d592f-238f-44f8-ad0f-a5d81e8aa2e7" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">iprip32.dll</Content> </IndicatorItem> <IndicatorItem id="539af7eb-87df-4d74-8d25-d56f90413850" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="3b11c46d-1e5a-4b28-9b2a-5485154baf00"> <IndicatorItem id="a79936cb-12fb-4262-92b0-cea2db4901d7" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">151552</Content> </IndicatorItem> <IndicatorItem id="38e8480a-845d-452d-aef9-3b4eb29ca675" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">155648</Content> </IndicatorItem> <IndicatorItem id="8ed59326-294f-4c1a-aee1-6ef2fa1ee6ca" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">159744</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="b836f229-1979-4d40-93ad-b9bdf6f26917"> <IndicatorItem id="b220f7cc-74e0-413e-a4f7-550f6937ec5e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-24T02:42:22Z</Content> </IndicatorItem> <IndicatorItem id="a477bfb8-74ce-4ffe-940d-6b5d17430959" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-29T07:35:54Z</Content> </IndicatorItem> <IndicatorItem id="9f6c79fb-8a62-4024-8b6d-49563dbfe2a2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-29T08:30:40Z</Content> </IndicatorItem> <IndicatorItem id="4bde46ca-96a1-46ef-9ad1-ba3ee503d463" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-01T08:53:23Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="bc9c47b4-a3e7-48f5-a260-442b731e9217"> <IndicatorItem id="0eb42182-ba04-4cf0-b139-9847a52d6698" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">PCShareH.dll</Content> <Comment>describes DLL attributes common to this family</Comment> </IndicatorItem> <IndicatorItem id="f41124ad-3629-449f-b6da-bcb4bb52433d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">UninstallService</Content> </IndicatorItem> <IndicatorItem id="d7b99f36-17cb-4c1b-a0a2-d17507b4104c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">InstallService</Content> </IndicatorItem> <IndicatorItem id="eb37ece6-6f30-4dac-a297-910bdc1a334d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">RundllInstallA</Content> </IndicatorItem> <IndicatorItem id="0620bee8-aaf8-4747-ac24-5f300d266ac5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">RundllUninstallA</Content> </IndicatorItem> <IndicatorItem id="53b3e98b-08ed-4b90-8595-dc16dbb2e0c7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">ServiceMain</Content> </IndicatorItem> <IndicatorItem id="ad644aea-2dc8-4768-aa11-731b8ffa54ff" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">5</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-34a5f05a-f830-4d55-bb09-c1e8745a998d"> <indicator:Title>MINIASP (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> This family of malware consists of backdoors that attempt to fetch encoded commands over HTTP. The malware is capable of downloading a file, downloading and executing a file, executing arbitrary shell commands, or sleeping a specified interval. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-7ebca5f2-2b13-4422-9bb1-b63d1eb04a22"/> <cybox:Observable idref="mandiant:observable-ab8860f7-0ef1-4933-bd94-9501717aa348"/> <cybox:Observable idref="mandiant:observable-5f3d57ff-610b-48c2-8417-1dd10dad9939"/> <cybox:Observable idref="mandiant:observable-e7039ae1-5b5b-4908-8e82-bd78769cfc9a"/> <cybox:Observable idref="mandiant:observable-f3742769-61fb-4de7-b257-fcc60a01507e"/> <cybox:Observable idref="mandiant:observable-60fc1671-3ae4-4aeb-b222-0899d1b5888f"/> <cybox:Observable id="mandiant:observable-5a0df84f-8cb8-4ab6-854b-4a37a96164ea"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-ea03cbab-17bd-41c5-8c55-e8e91cfcf354"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-df92717a-a7ea-4afc-b7b9-a523b19b4324"/> <cybox:Observable idref="mandiant:observable-d41a75fd-8083-4b7a-9f1a-a514146a079a"/> <cybox:Observable idref="mandiant:observable-a1fc93dd-571c-403e-9eda-94a190489687"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-4c5327fe-83f5-429b-9943-f8c8adae2fd7"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-aa42802b-6766-4cda-84d5-595e384b39ec"/> <cybox:Observable idref="mandiant:observable-2d663d81-6681-4deb-b7ef-4e6c710b3dcf"/> <cybox:Observable idref="mandiant:observable-d7762c98-0dd0-4c9a-a449-9043e6510c70"/> <cybox:Observable idref="mandiant:observable-e21f4677-be4d-456b-a847-08e0e6c39b0f"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-4515a703-481b-46a6-b843-866e651dd5b5"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-bcd34f8a-8828-479d-bbfd-f371ae439606"/> <cybox:Observable idref="mandiant:observable-a63d9d35-d375-4c88-8d5b-0becafd94da0"/> <cybox:Observable idref="mandiant:observable-72dda272-72e5-4009-b0cd-559b1dab182f"/> <cybox:Observable idref="mandiant:observable-22bda1e4-5ed4-4212-86a9-a62172dec217"/> <cybox:Observable idref="mandiant:observable-d76a0387-eb69-472b-98ea-ee4b3ecb13d3"/> <cybox:Observable idref="mandiant:observable-1c31343b-beaf-41ab-b954-7602eb7e5c5c"/> <cybox:Observable idref="mandiant:observable-d6c354bb-9b63-48d3-8d7f-a82811cc9ffb"/> <cybox:Observable idref="mandiant:observable-d40244c9-69f3-4e20-a945-4d30ce050392"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="3433dad8-879e-40d9-98b3-92ddc75f0dcd" last-modified="2013-02-10T13:00:00"> <short_description>MINIASP (FAMILY)</short_description> <description>This family of malware consists of backdoors that attempt to fetch encoded commands over HTTP. The malware is capable of downloading a file, downloading and executing a file, executing arbitrary shell commands, or sleeping a specified interval.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="Family">MINIASP</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="34a5f05a-f830-4d55-bb09-c1e8745a998d"> <IndicatorItem id="7ebca5f2-2b13-4422-9bb1-b63d1eb04a22" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6eebee2aebd5194db62cb8230502378c</Content> </IndicatorItem> <IndicatorItem id="ab8860f7-0ef1-4933-bd94-9501717aa348" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">620c6a6cff832e35090487680123f52b</Content> </IndicatorItem> <IndicatorItem id="5f3d57ff-610b-48c2-8417-1dd10dad9939" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">81b03cbcfc4b9d090cd8f5e5da816895</Content> </IndicatorItem> <IndicatorItem id="e7039ae1-5b5b-4908-8e82-bd78769cfc9a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e476e4a24f8b4ff4c8a0b260aa35fc9f</Content> </IndicatorItem> <IndicatorItem id="f3742769-61fb-4de7-b257-fcc60a01507e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">77fbfed235d6062212a3e43211a5706e</Content> </IndicatorItem> <IndicatorItem id="60fc1671-3ae4-4aeb-b222-0899d1b5888f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">52509abd1cc7b7fb391b19929e0d99c0</Content> </IndicatorItem> <IndicatorItem id="1ca7eba3-263b-4fa7-8141-e69e58ed2d40" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">miniasp</Content> <Comment>unique strings found in most samples in family</Comment> </IndicatorItem> <IndicatorItem id="09cd0494-702c-4fe2-bbd4-29538cb3b685" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">http://%s/record.asp?device_t=%s</Content> <Comment>unique strings found in most samples in family</Comment> </IndicatorItem> <IndicatorItem id="39d9bd47-612c-4aeb-8e79-76acb99f9f0b" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">open internet failed...</Content> <Comment>unique strings found in most samples in family</Comment> </IndicatorItem> <IndicatorItem id="0d6e8bad-30e5-4cca-abcb-893d88074d30" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">q0nc9w8edaoiuk2mzrfy3xt1p5ls67g4bvhj</Content> <Comment>unique strings found in most samples in family</Comment> </IndicatorItem> <Indicator operator="AND" id="5a0df84f-8cb8-4ab6-854b-4a37a96164ea"> <Indicator operator="OR" id="ea03cbab-17bd-41c5-8c55-e8e91cfcf354"> <IndicatorItem id="df92717a-a7ea-4afc-b7b9-a523b19b4324" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">28160</Content> </IndicatorItem> <IndicatorItem id="d41a75fd-8083-4b7a-9f1a-a514146a079a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">497783</Content> </IndicatorItem> <IndicatorItem id="a1fc93dd-571c-403e-9eda-94a190489687" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">56320</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="4c5327fe-83f5-429b-9943-f8c8adae2fd7"> <IndicatorItem id="aa42802b-6766-4cda-84d5-595e384b39ec" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-14T08:20:10Z</Content> </IndicatorItem> <IndicatorItem id="2d663d81-6681-4deb-b7ef-4e6c710b3dcf" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-23T07:42:47Z</Content> </IndicatorItem> <IndicatorItem id="d7762c98-0dd0-4c9a-a449-9043e6510c70" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-04T12:57:35Z</Content> </IndicatorItem> <IndicatorItem id="e21f4677-be4d-456b-a847-08e0e6c39b0f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-09T13:19:49Z</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="4515a703-481b-46a6-b843-866e651dd5b5"> <IndicatorItem id="bcd34f8a-8828-479d-bbfd-f371ae439606" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">acrord32ram.exe</Content> </IndicatorItem> <IndicatorItem id="a63d9d35-d375-4c88-8d5b-0becafd94da0" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">winword.exe</Content> </IndicatorItem> <IndicatorItem id="72dda272-72e5-4009-b0cd-559b1dab182f" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">acrord32.exe</Content> </IndicatorItem> <IndicatorItem id="22bda1e4-5ed4-4212-86a9-a62172dec217" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ituneshelper.exe</Content> </IndicatorItem> <IndicatorItem id="d76a0387-eb69-472b-98ea-ee4b3ecb13d3" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">power_gen_2012.exe</Content> </IndicatorItem> <IndicatorItem id="1c31343b-beaf-41ab-b954-7602eb7e5c5c" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_mismatch</Content> <Comment>anomaly found in some samples</Comment> </IndicatorItem> <IndicatorItem id="d6c354bb-9b63-48d3-8d7f-a82811cc9ffb" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>anomaly found in some samples</Comment> </IndicatorItem> <IndicatorItem id="d40244c9-69f3-4e20-a945-4d30ce050392" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>anomaly found in some samples</Comment> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-706a8e36-77d0-41bb-81b4-05ca92f4d2d1"> <indicator:Title>MANITSME (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> This family of malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files. This IOC looks for both the dropper file and the backdoor. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-b0a048ce-a039-4498-855c-f26b4f2cecfb"/> <cybox:Observable idref="mandiant:observable-097e4f85-860b-49d1-b37a-701bbeb59345"/> <cybox:Observable id="mandiant:observable-6f32e0aa-00e0-4f32-94e7-b2a5d3afdfa9"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-21967ba1-c2d1-4d0c-9669-064a02d2d0da"/> <cybox:Observable idref="mandiant:observable-ea548f23-0490-492a-b7fc-2c7b69f8edb8"/> <cybox:Observable idref="mandiant:observable-4e3d7037-392f-466a-82ff-8dad6a4aeecc"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-7e33dc1a-90cb-4025-b6d0-3aafa255d92d"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-64f6473e-ce8c-4a26-ac08-1babd0cda245"/> <cybox:Observable idref="mandiant:observable-28447a30-760f-4804-8d4d-1d8ecb843328"/> <cybox:Observable idref="mandiant:observable-ff742dd5-23da-44d3-b2dc-a2df5dcc688f"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="3e01b786-fe3a-4228-95fa-c3986e2353d6" last-modified="2013-02-10T13:00:00"> <short_description>MANITSME (FAMILY)</short_description> <description>This family of malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files. This IOC looks for both the dropper file and the backdoor.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">MANITSME</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> <link rel="capability">Dropper</link> </links> <definition> <Indicator operator="OR" id="706a8e36-77d0-41bb-81b4-05ca92f4d2d1"> <IndicatorItem id="b0a048ce-a039-4498-855c-f26b4f2cecfb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0285bd1fbdd70fd5165260a490564ac8</Content> <Comment>signature of backdoor dll</Comment> </IndicatorItem> <IndicatorItem id="097e4f85-860b-49d1-b37a-701bbeb59345" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9c03ab63a45d29aee90b72ae89f2f613</Content> <Comment>signature of dropper</Comment> </IndicatorItem> <IndicatorItem id="04bbcfe6-4f68-43f6-a999-415c1dd873a3" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">v1.0 No Doubt to Hack You, Writed by UglyGorilla, 06/29/2007</Content> <Comment>unique string in dropper</Comment> </IndicatorItem> <IndicatorItem id="206d0847-daf6-4d49-93b6-f9cd842ed30f" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">d:\My Documents\Visual Studio Projects\rouji\release\Install.pdb</Content> </IndicatorItem> <Indicator operator="AND" id="6f32e0aa-00e0-4f32-94e7-b2a5d3afdfa9"> <IndicatorItem id="21967ba1-c2d1-4d0c-9669-064a02d2d0da" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">newdll.dll</Content> </IndicatorItem> <IndicatorItem id="ea548f23-0490-492a-b7fc-2c7b69f8edb8" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-09-06T13:13:09Z</Content> </IndicatorItem> <IndicatorItem id="4e3d7037-392f-466a-82ff-8dad6a4aeecc" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">84480</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="7e33dc1a-90cb-4025-b6d0-3aafa255d92d"> <IndicatorItem id="64f6473e-ce8c-4a26-ac08-1babd0cda245" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">install_ela.exe</Content> </IndicatorItem> <IndicatorItem id="28447a30-760f-4804-8d4d-1d8ecb843328" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-09-06T13:13:17Z</Content> </IndicatorItem> <IndicatorItem id="ff742dd5-23da-44d3-b2dc-a2df5dcc688f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">224768</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-32ce1273-fc66-4de6-9e1d-fc6c55cdcae9"> <indicator:Title>SEASALT (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> The SEASALT malware family communicates via a custom binary protocol. It is capable of gathering some basic system information, file system manipulation, file upload and download, process creation and termination, and spawning an interactive reverse shell. The malware maintains persistence by installing itself as a service. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-c8670f17-d6cb-4b86-8fa7-0c9db006b143"/> <cybox:Observable idref="mandiant:observable-100ef811-c6bd-436c-8909-d051eca97bc6"/> <cybox:Observable idref="mandiant:observable-3ad926e8-236a-42c1-b6c5-f4649b94a563"/> <cybox:Observable idref="mandiant:observable-5d129eb0-7dc9-4d5f-b323-56ec74f8a859"/> <cybox:Observable idref="mandiant:observable-60bf3398-cd2d-43ae-bd8a-423a87125e67"/> <cybox:Observable id="mandiant:observable-013f14d6-7b2c-44f8-b7ee-8f769877fc21"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-1251ad3a-36cc-46df-b867-5b999c950d37"/> <cybox:Observable idref="mandiant:observable-7c63fc4c-c42d-4400-92ca-7e5d9f439d7f"/> <cybox:Observable id="mandiant:observable-477e673c-856f-4140-9174-7923a5b1aae5"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-70888c05-d5fb-4161-9f11-c061aaca8e25"/> <cybox:Observable idref="mandiant:observable-663ea2a0-6c4d-4fdb-b1c4-84e444fb5090"/> <cybox:Observable idref="mandiant:observable-4a513012-d94c-4147-8817-ed0a60abdbad"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-c09921da-3789-4179-b2a3-0a2dd7c5e922"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-8f21de18-1b81-4553-9fa3-2af23053842c"/> <cybox:Observable idref="mandiant:observable-a6eb457c-fe70-43fc-8f4e-606c7d417f1b"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-6c096bb3-a4bb-42d6-956e-f7ed025e8913"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-b6ed3588-18fc-4c76-b53b-c01aabdd5f92"/> <cybox:Observable idref="mandiant:observable-4a5c4267-9edd-47ee-8945-20e24278834e"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-7a417b6b-390c-453f-aa42-fbc594b659a1"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-0bb5a610-2702-4862-a664-f6db36f3947b"/> <cybox:Observable idref="mandiant:observable-1e7493c7-a12b-4978-b657-fd1b90314d12"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-95ac7e1f-1688-4cc6-ba49-2f4d7099b47f"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-5c5b382e-cdfd-469e-a024-4e52db2e423b"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="4a2c5f60-f4c0-4844-ba1f-a14dac9fa36c" last-modified="2013-02-10T13:00:00"> <short_description>SEASALT (FAMILY)</short_description> <description>The SEASALT malware family communicates via a custom binary protocol. It is capable of gathering some basic system information, file system manipulation, file upload and download, process creation and termination, and spawning an interactive reverse shell. The malware maintains persistence by installing itself as a service.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">SEASALT</link> </links> <definition> <Indicator operator="OR" id="32ce1273-fc66-4de6-9e1d-fc6c55cdcae9"> <IndicatorItem id="c8670f17-d6cb-4b86-8fa7-0c9db006b143" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f0726aadcf5d66daf528f79ba8507113</Content> </IndicatorItem> <IndicatorItem id="100ef811-c6bd-436c-8909-d051eca97bc6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5e0df5b28a349d46ac8cc7d9e5e61a96</Content> </IndicatorItem> <IndicatorItem id="3ad926e8-236a-42c1-b6c5-f4649b94a563" condition="contains"> <Context document="ServiceItem" search="ServiceItem/name" type="mir"/> <Content type="string">SaSaut</Content> </IndicatorItem> <IndicatorItem id="081620ae-92ba-47ef-a37b-b953eae96f88" condition="contains"> <Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir"/> <Content type="string">System Authorization Service</Content> </IndicatorItem> <IndicatorItem id="5d129eb0-7dc9-4d5f-b323-56ec74f8a859" condition="contains"> <Context document="ServiceItem" search="ServiceItem/description" type="mir"/> <Content type="string">Authorization and authentication service for starting and accessing machines.</Content> </IndicatorItem> <IndicatorItem id="60bf3398-cd2d-43ae-bd8a-423a87125e67" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">CurrentVersion\SvcHost\SaSaut</Content> </IndicatorItem> <Indicator operator="AND" id="013f14d6-7b2c-44f8-b7ee-8f769877fc21"> <IndicatorItem id="1251ad3a-36cc-46df-b867-5b999c950d37" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <IndicatorItem id="7c63fc4c-c42d-4400-92ca-7e5d9f439d7f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <Indicator operator="OR" id="477e673c-856f-4140-9174-7923a5b1aae5"> <IndicatorItem id="70888c05-d5fb-4161-9f11-c061aaca8e25" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">setup.dll</Content> </IndicatorItem> <IndicatorItem id="663ea2a0-6c4d-4fdb-b1c4-84e444fb5090" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">spool.exe</Content> </IndicatorItem> <IndicatorItem id="4a513012-d94c-4147-8817-ed0a60abdbad" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-03-30T09:00:00Z TO 2010-03-30T12:00:00Z</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="c09921da-3789-4179-b2a3-0a2dd7c5e922"> <IndicatorItem id="8f21de18-1b81-4553-9fa3-2af23053842c" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">37376</Content> </IndicatorItem> <IndicatorItem id="a6eb457c-fe70-43fc-8f4e-606c7d417f1b" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">50176</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="6c096bb3-a4bb-42d6-956e-f7ed025e8913"> <IndicatorItem id="b6ed3588-18fc-4c76-b53b-c01aabdd5f92" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">svc.dll</Content> </IndicatorItem> <IndicatorItem id="4a5c4267-9edd-47ee-8945-20e24278834e" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">MyService</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="7a417b6b-390c-453f-aa42-fbc594b659a1"> <IndicatorItem id="0bb5a610-2702-4862-a664-f6db36f3947b" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">java.exe</Content> </IndicatorItem> <IndicatorItem id="1e7493c7-a12b-4978-b657-fd1b90314d12" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">CurrentVersion\Run\sysinfo</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="95ac7e1f-1688-4cc6-ba49-2f4d7099b47f"> <IndicatorItem id="5c5b382e-cdfd-469e-a024-4e52db2e423b" condition="contains"> <Context document="ServiceItem" search="ServiceItem/serviceDLL" type="mir"/> <Content type="string">\setup.dll</Content> </IndicatorItem> <IndicatorItem id="03c417cc-4947-4ddc-ad3c-c11830f8fe08" condition="is"> <Context document="ServiceItem" search="ServiceItem/serviceDLLSignatureVerified" type="mir"/> <Content type="string">False</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-9658ae72-3f2c-4fa9-850b-aa86e8d976d6"> <indicator:Title>WEBC2-AUSOV (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Downloader</indicator:Type> <indicator:Description> A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware family is a only a downloader which operates over the HTTP protocol with a hard-coded URL. If directed, it has the capability to download, decompress, and execute compressed binaries. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-edca262c-6b9e-4d7a-80ad-c8abff8668b2"/> <cybox:Observable idref="mandiant:observable-4da666d4-0544-433a-9942-5e3037941347"/> <cybox:Observable idref="mandiant:observable-40c51ba7-3b1d-4f63-b2b2-eba5b0a3075f"/> <cybox:Observable idref="mandiant:observable-e2dfd549-70d0-4334-b2cf-37bb7ba61d4e"/> <cybox:Observable idref="mandiant:observable-1eb256c6-771b-482a-b2e4-1adcc4be3e49"/> <cybox:Observable idref="mandiant:observable-523fdee8-4585-44d7-a09a-f3759fa9d3bb"/> <cybox:Observable idref="mandiant:observable-c906b618-c178-4359-9c21-d6ab01c5f216"/> <cybox:Observable id="mandiant:observable-38b38b8e-13ef-4e5c-b133-fb58e291db65"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-b422d6af-2868-4b3d-96e0-cee26fb32b55"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-476fdea7-906d-4da0-8fa9-237e02ae8ddb"/> <cybox:Observable idref="mandiant:observable-0a30ed8a-70af-48a8-8a0a-ed25d5a4230c"/> <cybox:Observable idref="mandiant:observable-89cdc57a-f38f-464f-a759-53cf31f216f3"/> <cybox:Observable idref="mandiant:observable-549bb9fe-d79e-4cba-9eaa-6ccd0be147a1"/> <cybox:Observable idref="mandiant:observable-816c7fc0-fbc9-4994-898e-49cb1cdc7c5d"/> <cybox:Observable idref="mandiant:observable-05c6d75d-cc7e-4d43-afed-2f5851f3a202"/> <cybox:Observable idref="mandiant:observable-9da6a4f2-5c4f-4ad8-9827-5d544381f9a0"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-c447d42c-8fde-4c1e-808e-cbdd699db758"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-dbf1e175-bcd9-4132-8b2f-be7398504c21"/> <cybox:Observable idref="mandiant:observable-068c2755-2a59-4e26-b2f2-62ba735d8651"/> <cybox:Observable idref="mandiant:observable-32180006-a3cd-41f3-b13f-7395af4d46e2"/> <cybox:Observable idref="mandiant:observable-5766bb13-64b5-4aec-a10d-4c92a044888a"/> <cybox:Observable idref="mandiant:observable-577c1afb-6741-47a6-ae85-82867f176a80"/> <cybox:Observable idref="mandiant:observable-9d91eda7-c3d9-464b-af83-f71e4b14a842"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-7d403b28-efd8-4e99-91ed-030231105ce6"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-4f87c102-e2d7-41ba-864b-6d8a2e1f2aac"/> <cybox:Observable idref="mandiant:observable-fb0db4fb-6694-4626-9d3a-7a25960bf4e9"/> <cybox:Observable idref="mandiant:observable-2c84422e-c3cb-4273-8ce8-ccde31ac8f6d"/> <cybox:Observable idref="mandiant:observable-3abd846c-45c9-45f5-aadb-b2a4acc70289"/> <cybox:Observable idref="mandiant:observable-862e3e8b-4964-48fb-9f70-ff4be36151ed"/> <cybox:Observable idref="mandiant:observable-b5a25419-7c45-46ab-a4cf-27f2308eee21"/> <cybox:Observable idref="mandiant:observable-b9ab076b-3b64-4dae-89d9-45072a19b699"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="4d1ced5f-fe47-4ba4-be0e-81d547f3aa8a" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-AUSOV (FAMILY)</short_description> <description>A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware family is a only a downloader which operates over the HTTP protocol with a hard-coded URL. If directed, it has the capability to download, decompress, and execute compressed binaries.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">WEBC2-AUSOV</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Downloader</link> </links> <definition> <Indicator operator="OR" id="9658ae72-3f2c-4fa9-850b-aa86e8d976d6"> <IndicatorItem id="edca262c-6b9e-4d7a-80ad-c8abff8668b2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a40e20ff8b991308f508239625f275d8</Content> </IndicatorItem> <IndicatorItem id="4da666d4-0544-433a-9942-5e3037941347" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6e442c5ef460bee4c9457c6bf7a132d6</Content> </IndicatorItem> <IndicatorItem id="40c51ba7-3b1d-4f63-b2b2-eba5b0a3075f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a9993969be3ea340d420eea5868c0d1d</Content> </IndicatorItem> <IndicatorItem id="e2dfd549-70d0-4334-b2cf-37bb7ba61d4e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cb3a9d7505be48019e242fbccc7e5f6b</Content> </IndicatorItem> <IndicatorItem id="1eb256c6-771b-482a-b2e4-1adcc4be3e49" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5e33a9835bced338cb1959c347ac6798</Content> </IndicatorItem> <IndicatorItem id="523fdee8-4585-44d7-a09a-f3759fa9d3bb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d262cb8267beb0e218f6d11d6af9052e</Content> </IndicatorItem> <IndicatorItem id="c906b618-c178-4359-9c21-d6ab01c5f216" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">097b5abb53a3d84fa9eabda02fef9e91</Content> </IndicatorItem> <Indicator operator="AND" id="38b38b8e-13ef-4e5c-b133-fb58e291db65"> <Indicator operator="OR" id="b422d6af-2868-4b3d-96e0-cee26fb32b55"> <IndicatorItem id="476fdea7-906d-4da0-8fa9-237e02ae8ddb" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">internat.exe</Content> </IndicatorItem> <IndicatorItem id="0a30ed8a-70af-48a8-8a0a-ed25d5a4230c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ntshrui.dll</Content> </IndicatorItem> <IndicatorItem id="89cdc57a-f38f-464f-a759-53cf31f216f3" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">internat1.exe</Content> </IndicatorItem> <IndicatorItem id="549bb9fe-d79e-4cba-9eaa-6ccd0be147a1" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">iprinp32.dll</Content> </IndicatorItem> <IndicatorItem id="816c7fc0-fbc9-4994-898e-49cb1cdc7c5d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <IndicatorItem id="05c6d75d-cc7e-4d43-afed-2f5851f3a202" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 29% samples.</Comment> </IndicatorItem> <IndicatorItem id="9da6a4f2-5c4f-4ad8-9827-5d544381f9a0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="c447d42c-8fde-4c1e-808e-cbdd699db758"> <IndicatorItem id="dbf1e175-bcd9-4132-8b2f-be7398504c21" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">12507</Content> </IndicatorItem> <IndicatorItem id="068c2755-2a59-4e26-b2f2-62ba735d8651" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">24064</Content> </IndicatorItem> <IndicatorItem id="32180006-a3cd-41f3-b13f-7395af4d46e2" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">28962</Content> </IndicatorItem> <IndicatorItem id="5766bb13-64b5-4aec-a10d-4c92a044888a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">48640</Content> </IndicatorItem> <IndicatorItem id="577c1afb-6741-47a6-ae85-82867f176a80" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">6656</Content> </IndicatorItem> <IndicatorItem id="9d91eda7-c3d9-464b-af83-f71e4b14a842" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">8704</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="7d403b28-efd8-4e99-91ed-030231105ce6"> <IndicatorItem id="4f87c102-e2d7-41ba-864b-6d8a2e1f2aac" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-10-27T08:31:43Z</Content> </IndicatorItem> <IndicatorItem id="fb0db4fb-6694-4626-9d3a-7a25960bf4e9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-03-16T01:56:49Z</Content> </IndicatorItem> <IndicatorItem id="2c84422e-c3cb-4273-8ce8-ccde31ac8f6d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-03-17T01:31:25Z</Content> </IndicatorItem> <IndicatorItem id="3abd846c-45c9-45f5-aadb-b2a4acc70289" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-03-17T03:34:24Z</Content> </IndicatorItem> <IndicatorItem id="862e3e8b-4964-48fb-9f70-ff4be36151ed" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-30T09:20:04Z</Content> </IndicatorItem> <IndicatorItem id="b5a25419-7c45-46ab-a4cf-27f2308eee21" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-10-28T07:20:29Z</Content> </IndicatorItem> <IndicatorItem id="b9ab076b-3b64-4dae-89d9-45072a19b699" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-04-23T07:51:28Z</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-85b02254-b7a0-4eaa-876d-bec18dd3c55c"> <indicator:Title>WARP (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> The WARP malware family is an HTTP based backdoor written in C++, and the majority of its code base is borrowed from source code available in the public domain. Network communications are implemented using the same WWW client library (w3c.cpp) available from www.dankrusi.com/file_69653F3336383837.html. The malware has system survey functionality (collects hostname, current user, system uptime, CPU speed, etc.) taken directly from the BO2K backdoor available from www.bo2k.com. It also contains the hard disk identification code found at www.winsim.com/diskid32/diskid32.cpp. When the WARP executing remote commands, the malware creates a copy of the ?%SYSTEMROOT%\system32\cmd.exe? file as '%USERPROFILE%\Temp\~ISUN32.EXE'. The version signature information of the duplicate executable is zeroed out. Some WARP variants maintain persistence through the use of DLL search order hijacking. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-81481e39-64c8-4cac-80fc-524f71b30134"/> <cybox:Observable idref="mandiant:observable-5c9e8984-59cd-42b5-8b04-5df58cee48e0"/> <cybox:Observable idref="mandiant:observable-bb42a513-9b0d-4980-940a-9e75d761f361"/> <cybox:Observable idref="mandiant:observable-e6c0075b-6ddb-4a36-b0d4-3a3ac298dccf"/> <cybox:Observable idref="mandiant:observable-bb477ea0-f188-4c7a-b10e-536879f819be"/> <cybox:Observable id="mandiant:observable-fb0c73b7-3abe-4497-b9a0-1531a63aff1b"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-18b42ff6-3ff5-4c01-9700-13d9dbfb1bfe"/> <cybox:Observable id="mandiant:observable-129c816f-7164-4b45-a2b2-195557daa227"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-69abccad-1c5d-4427-ae3f-bb89a1f287af"/> <cybox:Observable idref="mandiant:observable-4f4b5ccc-dba5-4b38-95c1-c7a80c9cbd55"/> <cybox:Observable idref="mandiant:observable-3840e8b2-2d18-4689-94fb-990ff594169d"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-b33a97be-6f2d-405a-aec3-02fb4964faf3"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-94a2f411-294c-41e0-abe1-3ccc21f5844f"/> <cybox:Observable idref="mandiant:observable-511c616e-81ed-405f-9dd8-c104b85418f7"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-3fab5cb6-d9f0-444d-98fb-74dc9ef87c6a"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-6752f4d4-f141-4af0-a8e3-723b4701e315"/> <cybox:Observable idref="mandiant:observable-d827d88a-389b-47c9-a159-25bb46437633"/> <cybox:Observable idref="mandiant:observable-b5d981cc-6185-4d03-abdb-19862ab8d527"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="5477b392-e565-45c5-9cb4-f561d6daeddc" last-modified="2013-02-10T13:00:00"> <short_description>WARP (FAMILY)</short_description> <description>The WARP malware family is an HTTP based backdoor written in C++, and the majority of its code base is borrowed from source code available in the public domain. Network communications are implemented using the same WWW client library (w3c.cpp) available from www.dankrusi.com/file_69653F3336383837.html. The malware has system survey functionality (collects hostname, current user, system uptime, CPU speed, etc.) taken directly from the BO2K backdoor available from www.bo2k.com. It also contains the hard disk identification code found at www.winsim.com/diskid32/diskid32.cpp. When the WARP executing remote commands, the malware creates a copy of the ?%SYSTEMROOT%\system32\cmd.exe? file as '%USERPROFILE%\Temp\~ISUN32.EXE'. The version signature information of the duplicate executable is zeroed out. Some WARP variants maintain persistence through the use of DLL search order hijacking.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">WARP</link> </links> <definition> <Indicator operator="OR" id="85b02254-b7a0-4eaa-876d-bec18dd3c55c"> <IndicatorItem id="81481e39-64c8-4cac-80fc-524f71b30134" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d9c4ebd61c1aee52b3597aae048a592f</Content> </IndicatorItem> <IndicatorItem id="5c9e8984-59cd-42b5-8b04-5df58cee48e0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c0134285a276ab933e2a2b9b33b103cd</Content> </IndicatorItem> <IndicatorItem id="bb42a513-9b0d-4980-940a-9e75d761f361" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">36cd49ad631e99125a3bb2786e405cea</Content> </IndicatorItem> <IndicatorItem id="e6c0075b-6ddb-4a36-b0d4-3a3ac298dccf" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">Temp\~ISUN32.EXE</Content> </IndicatorItem> <IndicatorItem id="bb477ea0-f188-4c7a-b10e-536879f819be" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">Windows\ntshrui.dll</Content> </IndicatorItem> <Indicator operator="AND" id="fb0c73b7-3abe-4497-b9a0-1531a63aff1b"> <IndicatorItem id="18b42ff6-3ff5-4c01-9700-13d9dbfb1bfe" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <Indicator operator="OR" id="129c816f-7164-4b45-a2b2-195557daa227"> <IndicatorItem id="69abccad-1c5d-4427-ae3f-bb89a1f287af" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update.exe</Content> </IndicatorItem> <IndicatorItem id="4f4b5ccc-dba5-4b38-95c1-c7a80c9cbd55" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ntshrui.dll</Content> </IndicatorItem> <IndicatorItem id="3840e8b2-2d18-4689-94fb-990ff594169d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">netui0.dll</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="b33a97be-6f2d-405a-aec3-02fb4964faf3"> <IndicatorItem id="94a2f411-294c-41e0-abe1-3ccc21f5844f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">46592</Content> </IndicatorItem> <IndicatorItem id="511c616e-81ed-405f-9dd8-c104b85418f7" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">80896</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="3fab5cb6-d9f0-444d-98fb-74dc9ef87c6a"> <IndicatorItem id="6752f4d4-f141-4af0-a8e3-723b4701e315" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-09-28T12:42:19Z</Content> </IndicatorItem> <IndicatorItem id="d827d88a-389b-47c9-a159-25bb46437633" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-06T08:08:37Z</Content> </IndicatorItem> <IndicatorItem id="b5d981cc-6185-4d03-abdb-19862ab8d527" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-12-16T03:14:07Z</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-f799cdd4-57ae-40e9-8ee6-bcacc3f39430"> <indicator:Title>WEBC2-CSON (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Downloader</indicator:Type> <indicator:Description> A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware act only as downloaders and droppers for other malware. They communicate with a hard-coded C2 server, reading commands embedded in HTML comment fields. Some variants are executables which act upon execution, others are DLLs which can be attached to services or loaded through search order hijacking. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-99b0c203-fbaf-4183-ae63-48d0c03a7a81"/> <cybox:Observable idref="mandiant:observable-b72e9e6f-f135-44cd-8e38-60ffd2000af7"/> <cybox:Observable idref="mandiant:observable-e51dac46-9e38-40cd-bd9e-cf9389335a9b"/> <cybox:Observable idref="mandiant:observable-92f27bf2-cb73-4afb-b6bc-aeb93af236f0"/> <cybox:Observable idref="mandiant:observable-fc847913-f158-46a4-add6-d0aed12df4e9"/> <cybox:Observable idref="mandiant:observable-82513330-ebdd-470d-b685-8ce6bb1d0e40"/> <cybox:Observable idref="mandiant:observable-4933aae2-b99b-41b4-b654-0238c60a6570"/> <cybox:Observable idref="mandiant:observable-571eceed-e749-47c9-816d-34514ae8f5ce"/> <cybox:Observable idref="mandiant:observable-731a7370-2ef4-47ec-b6cb-0411aebc569a"/> <cybox:Observable idref="mandiant:observable-11d72f66-8aad-4b9c-b89e-51294de134fa"/> <cybox:Observable idref="mandiant:observable-890885aa-18c6-4b74-b0c7-a0bd1a3fbe53"/> <cybox:Observable idref="mandiant:observable-6eb51a17-ac61-43b4-b143-702960315b01"/> <cybox:Observable idref="mandiant:observable-f0acb752-f234-49da-856b-c4487188f8d5"/> <cybox:Observable idref="mandiant:observable-cb922a65-89da-40a4-af9a-db39ba0d5583"/> <cybox:Observable idref="mandiant:observable-1cf863d3-59e1-437c-b7ad-dd88da1aff34"/> <cybox:Observable idref="mandiant:observable-b7bc323b-eeb8-4da1-ad82-0bbd909840c2"/> <cybox:Observable idref="mandiant:observable-e1cf1ca2-3b82-4499-a464-27d411fba154"/> <cybox:Observable idref="mandiant:observable-10cdbd63-b615-43ba-906f-3ff38e20f666"/> <cybox:Observable idref="mandiant:observable-289a5c12-ab3d-4d16-a4e2-7f86a170dc70"/> <cybox:Observable idref="mandiant:observable-197c995d-798b-4c39-ac93-8a709c27fae0"/> <cybox:Observable idref="mandiant:observable-634443c8-e62a-4ab1-9508-5ad706983db4"/> <cybox:Observable idref="mandiant:observable-0f45ef31-8176-4181-842d-b44e0f860613"/> <cybox:Observable idref="mandiant:observable-7e925178-0290-4676-b6ea-5c968af2989f"/> <cybox:Observable idref="mandiant:observable-03019da0-4e35-44a9-8bf6-c0134cce58e5"/> <cybox:Observable id="mandiant:observable-81cd696e-3759-4e2e-9092-d61044ecf466"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-4da387cf-0346-46ee-8567-459e3a2b450a"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-46df33f3-bff7-48b2-9545-9dea89b2b94f"/> <cybox:Observable idref="mandiant:observable-e8870f2d-6496-48ea-b50c-14d2f2791c2c"/> <cybox:Observable idref="mandiant:observable-13c7ff58-1d87-4898-96a0-98ad886763e2"/> <cybox:Observable idref="mandiant:observable-77dcc436-2e07-47c7-ae81-7fb7cf50a00a"/> <cybox:Observable idref="mandiant:observable-3eff6eba-23e3-4a00-bdac-87d1992d58fb"/> <cybox:Observable idref="mandiant:observable-ff53cd17-3267-44fe-af63-ae0859a26161"/> <cybox:Observable idref="mandiant:observable-bc60be82-0891-46be-8dd4-1f2447464e33"/> <cybox:Observable idref="mandiant:observable-da0cc592-b519-47c3-90fd-a9b9dd694e3c"/> <cybox:Observable idref="mandiant:observable-67c82cfd-e7a3-42dc-87ae-6a626509473e"/> <cybox:Observable idref="mandiant:observable-b1a94d3c-71a2-4cd3-bf7c-fbd146f3ec75"/> <cybox:Observable idref="mandiant:observable-f810aca4-4035-4630-9b91-f9a2b08b5d49"/> <cybox:Observable idref="mandiant:observable-d3234aca-7aa1-477b-a767-873e569d15f0"/> <cybox:Observable idref="mandiant:observable-9c596030-7a74-4293-8513-e7bcb9bc2138"/> <cybox:Observable idref="mandiant:observable-c4ed36db-92b3-4c62-af77-925e69929e5d"/> <cybox:Observable idref="mandiant:observable-4669a304-91b2-4882-b79a-4e3e54fdf162"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-9a48b472-977c-4731-bc28-aaf8abe99c4e"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-55dc3ac8-da7c-4158-91c1-1b1b6f02269c"/> <cybox:Observable idref="mandiant:observable-c18bf4e6-71c9-4a60-9e8c-c896582d65fd"/> <cybox:Observable idref="mandiant:observable-d124c4c2-a338-48b3-b7c7-9eb1987f4f21"/> <cybox:Observable idref="mandiant:observable-a98a90bc-e817-4985-ba97-1a18a4aa1790"/> <cybox:Observable idref="mandiant:observable-aca8b54d-9576-414f-994b-2440455093b4"/> <cybox:Observable idref="mandiant:observable-dc662c94-c50f-44ba-99c4-a0b4f4df4d73"/> <cybox:Observable idref="mandiant:observable-08060761-ace3-47c9-b091-1f41a8d335a2"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-a78754e0-1986-442c-b159-a45b379f1b93"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-960e594f-6f05-44c7-85b5-eaa2c696f419"/> <cybox:Observable idref="mandiant:observable-5182a2da-a3ed-4dae-aebb-aabe3dad350d"/> <cybox:Observable idref="mandiant:observable-6f191ca4-9764-4b9a-ac98-091565e1d76e"/> <cybox:Observable idref="mandiant:observable-5f7bc992-2cb5-4de3-8f83-090e6dba53e7"/> <cybox:Observable idref="mandiant:observable-40b37830-e5a6-4c7d-98c7-952c9b25d4ce"/> <cybox:Observable idref="mandiant:observable-8fac18cc-a583-4c19-af3c-277390909c1d"/> <cybox:Observable idref="mandiant:observable-1014039c-105b-4461-a51e-6836ecbc1d1d"/> <cybox:Observable idref="mandiant:observable-f2f4573e-7377-4252-88da-7539aacb674f"/> <cybox:Observable idref="mandiant:observable-303c96ec-01ef-4f0c-9c62-335ae16c879a"/> <cybox:Observable idref="mandiant:observable-a8f5799b-1b35-4125-802b-e052a5a23605"/> <cybox:Observable idref="mandiant:observable-5e94b2ae-a2bc-4df8-b42d-af92b62a4636"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-8056c6e7-a12b-4e11-9abf-e86e7beb750f"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-7be68113-1abe-4400-96a7-1975c65afa51"/> <cybox:Observable idref="mandiant:observable-f6cbabdb-f0d4-4a5d-9108-a05ffd2063eb"/> <cybox:Observable id="mandiant:observable-7d8cae57-24b9-42f3-803d-444c67d616f7"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-40d193f4-f81c-4284-b5b7-16fcdcaf11ed"/> <cybox:Observable idref="mandiant:observable-467aa9b4-db05-4af3-8845-6ec7a77edf55"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-a513eeb4-3aef-4550-80ad-47452f11037f"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-8c74d0c8-4c0a-4ca1-b32e-b5fb7e1f9dff"/> <cybox:Observable idref="mandiant:observable-573e75c3-d30c-4c7e-9eb6-2413e7dae467"/> <cybox:Observable idref="mandiant:observable-6490093a-f01f-46ec-966f-2a253086df2d"/> <cybox:Observable idref="mandiant:observable-8e855941-0540-4666-91c5-cc00f590ef8f"/> <cybox:Observable idref="mandiant:observable-ac9d0ce4-ae62-4bff-8e3e-51700dbd06db"/> <cybox:Observable idref="mandiant:observable-151c88cd-5f32-4907-95e7-634e59e33c2b"/> <cybox:Observable idref="mandiant:observable-cc5d6946-59c1-4051-b4bc-9a75a97b8ed3"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="547e4128-9dff-45d9-b90f-081ce3966dee" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-CSON (FAMILY)</short_description> <description>A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware act only as downloaders and droppers for other malware. They communicate with a hard-coded C2 server, reading commands embedded in HTML comment fields. Some variants are executables which act upon execution, others are DLLs which can be attached to services or loaded through search order hijacking.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">WEBC2-CSON</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Downloader</link> </links> <definition> <Indicator operator="OR" id="f799cdd4-57ae-40e9-8ee6-bcacc3f39430"> <IndicatorItem id="99b0c203-fbaf-4183-ae63-48d0c03a7a81" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a38a367d6696ba90b2e778a5a4bf98fd</Content> </IndicatorItem> <IndicatorItem id="b72e9e6f-f135-44cd-8e38-60ffd2000af7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4a2320b41a5216c741bf63fce562961a</Content> </IndicatorItem> <IndicatorItem id="e51dac46-9e38-40cd-bd9e-cf9389335a9b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5537bdce991797198a9ff97ff1492f90</Content> </IndicatorItem> <IndicatorItem id="92f27bf2-cb73-4afb-b6bc-aeb93af236f0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0115338e11f85d7a2226933712acaae8</Content> </IndicatorItem> <IndicatorItem id="fc847913-f158-46a4-add6-d0aed12df4e9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">277964807a66aeeb6bd81dbfcaa3e4e6</Content> </IndicatorItem> <IndicatorItem id="82513330-ebdd-470d-b685-8ce6bb1d0e40" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f802b6e448c054c9c16b97ff85646825</Content> </IndicatorItem> <IndicatorItem id="4933aae2-b99b-41b4-b654-0238c60a6570" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7d3140bd028f70f1fa865364b69c5999</Content> </IndicatorItem> <IndicatorItem id="571eceed-e749-47c9-816d-34514ae8f5ce" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">18316e6ebb356a66c8ff51e73c1bcc8a</Content> </IndicatorItem> <IndicatorItem id="731a7370-2ef4-47ec-b6cb-0411aebc569a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">91dc97c4b66e3282e1aa831e0bb0bb14</Content> </IndicatorItem> <IndicatorItem id="11d72f66-8aad-4b9c-b89e-51294de134fa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">53600687ec97c297f03b4f0f4710d0c5</Content> </IndicatorItem> <IndicatorItem id="890885aa-18c6-4b74-b0c7-a0bd1a3fbe53" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4192479b055b2b21cb7e6c803b765d34</Content> </IndicatorItem> <IndicatorItem id="6eb51a17-ac61-43b4-b143-702960315b01" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">51ce169debea41314f591290839fd55f</Content> </IndicatorItem> <IndicatorItem id="f0acb752-f234-49da-856b-c4487188f8d5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">50f35b7c86aede891a72fcb85f06b0b7</Content> </IndicatorItem> <IndicatorItem id="cb922a65-89da-40a4-af9a-db39ba0d5583" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">575836ebb1b8849f04e994e9160370e4</Content> </IndicatorItem> <IndicatorItem id="1cf863d3-59e1-437c-b7ad-dd88da1aff34" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">73d125f84503bd87f8142cf2ba8ab05e</Content> </IndicatorItem> <IndicatorItem id="b7bc323b-eeb8-4da1-ad82-0bbd909840c2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d22863c5e6f098a4b52688b021beef0a</Content> </IndicatorItem> <IndicatorItem id="e1cf1ca2-3b82-4499-a464-27d411fba154" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3ea7bf3b469499f0f6d4a78af865138f</Content> </IndicatorItem> <IndicatorItem id="10cdbd63-b615-43ba-906f-3ff38e20f666" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2d57aa4e7f2f4088f1b96313b24c7602</Content> </IndicatorItem> <IndicatorItem id="289a5c12-ab3d-4d16-a4e2-7f86a170dc70" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d6a01b61f490488d61dfb9376186d844</Content> </IndicatorItem> <IndicatorItem id="197c995d-798b-4c39-ac93-8a709c27fae0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b1ee00cec6c2318fa86f320dd7fc99a8</Content> </IndicatorItem> <IndicatorItem id="634443c8-e62a-4ab1-9508-5ad706983db4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6ca59c9c4165796e08ba6ca3eeffdee6</Content> </IndicatorItem> <IndicatorItem id="0f45ef31-8176-4181-842d-b44e0f860613" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">66c287675cd4c7172590f71181e723a8</Content> </IndicatorItem> <IndicatorItem id="7e925178-0290-4676-b6ea-5c968af2989f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f1e5d9bf7705b4dc5be0b8a90b73a863</Content> </IndicatorItem> <IndicatorItem id="03019da0-4e35-44a9-8bf6-c0134cce58e5" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\WINDOWS\ntshrui.dll</Content> <Comment>the variant with ntshrui.dll attempts to load before the real ntshrui.dll through search order hijacking, and placing itself in the \WINDOWS dir vs. \WINDOWS\SYSTEM32</Comment> </IndicatorItem> <IndicatorItem id="f5359852-097e-4247-8723-df6bf72d9ecc" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Y29ubmVjdA==</Content> <Comment>an encoding string seen in about a third of the samples of this family (and in other APT1 families of malware)</Comment> </IndicatorItem> <Indicator operator="AND" id="81cd696e-3759-4e2e-9092-d61044ecf466"> <Indicator operator="OR" id="4da387cf-0346-46ee-8567-459e3a2b450a"> <IndicatorItem id="46df33f3-bff7-48b2-9545-9dea89b2b94f" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update.exe</Content> </IndicatorItem> <IndicatorItem id="e8870f2d-6496-48ea-b50c-14d2f2791c2c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">AcroRd32.exe</Content> </IndicatorItem> <IndicatorItem id="13c7ff58-1d87-4898-96a0-98ad886763e2" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <IndicatorItem id="77dcc436-2e07-47c7-ae81-7fb7cf50a00a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">nwsapagent.dll</Content> </IndicatorItem> <IndicatorItem id="3eff6eba-23e3-4a00-bdac-87d1992d58fb" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update.exe</Content> </IndicatorItem> <IndicatorItem id="ff53cd17-3267-44fe-af63-ae0859a26161" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">regsvr.exe</Content> </IndicatorItem> <IndicatorItem id="bc60be82-0891-46be-8dd4-1f2447464e33" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cmd.exe</Content> </IndicatorItem> <IndicatorItem id="da0cc592-b519-47c3-90fd-a9b9dd694e3c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ntshrui.dll</Content> </IndicatorItem> <IndicatorItem id="67c82cfd-e7a3-42dc-87ae-6a626509473e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ipripp.dll</Content> </IndicatorItem> <IndicatorItem id="b1a94d3c-71a2-4cd3-bf7c-fbd146f3ec75" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">web.exe</Content> </IndicatorItem> <IndicatorItem id="f810aca4-4035-4630-9b91-f9a2b08b5d49" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">dataaa.exe</Content> </IndicatorItem> <IndicatorItem id="d3234aca-7aa1-477b-a767-873e569d15f0" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">dc120.exe</Content> </IndicatorItem> <IndicatorItem id="9c596030-7a74-4293-8513-e7bcb9bc2138" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">udaterui.exe</Content> </IndicatorItem> <IndicatorItem id="c4ed36db-92b3-4c62-af77-925e69929e5d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">firefox.exe</Content> </IndicatorItem> <IndicatorItem id="4669a304-91b2-4882-b79a-4e3e54fdf162" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="9a48b472-977c-4731-bc28-aaf8abe99c4e"> <IndicatorItem id="55dc3ac8-da7c-4158-91c1-1b1b6f02269c" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">10240</Content> </IndicatorItem> <IndicatorItem id="c18bf4e6-71c9-4a60-9e8c-c896582d65fd" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">24064</Content> </IndicatorItem> <IndicatorItem id="d124c4c2-a338-48b3-b7c7-9eb1987f4f21" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">33280</Content> </IndicatorItem> <IndicatorItem id="a98a90bc-e817-4985-ba97-1a18a4aa1790" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">55808</Content> </IndicatorItem> <IndicatorItem id="aca8b54d-9576-414f-994b-2440455093b4" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">66048</Content> </IndicatorItem> <IndicatorItem id="dc662c94-c50f-44ba-99c4-a0b4f4df4d73" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">83456</Content> </IndicatorItem> <IndicatorItem id="08060761-ace3-47c9-b091-1f41a8d335a2" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">9728</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="a78754e0-1986-442c-b159-a45b379f1b93"> <IndicatorItem id="960e594f-6f05-44c7-85b5-eaa2c696f419" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-12-02T08:05:26Z</Content> </IndicatorItem> <IndicatorItem id="5182a2da-a3ed-4dae-aebb-aabe3dad350d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-12-03T03:07:18Z</Content> </IndicatorItem> <IndicatorItem id="6f191ca4-9764-4b9a-ac98-091565e1d76e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-12-22T08:02:25Z</Content> </IndicatorItem> <IndicatorItem id="5f7bc992-2cb5-4de3-8f83-090e6dba53e7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-07T09:42:59Z</Content> </IndicatorItem> <IndicatorItem id="40b37830-e5a6-4c7d-98c7-952c9b25d4ce" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-23T14:34:10Z</Content> </IndicatorItem> <IndicatorItem id="8fac18cc-a583-4c19-af3c-277390909c1d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-23T14:36:19Z</Content> </IndicatorItem> <IndicatorItem id="1014039c-105b-4461-a51e-6836ecbc1d1d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-04-14T07:22:24Z</Content> </IndicatorItem> <IndicatorItem id="f2f4573e-7377-4252-88da-7539aacb674f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-04-21T07:51:21Z</Content> </IndicatorItem> <IndicatorItem id="303c96ec-01ef-4f0c-9c62-335ae16c879a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-09-20T03:40:51Z</Content> </IndicatorItem> <IndicatorItem id="a8f5799b-1b35-4125-802b-e052a5a23605" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-09-20T03:50:48Z</Content> </IndicatorItem> <IndicatorItem id="5e94b2ae-a2bc-4df8-b42d-af92b62a4636" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-27T09:35:26Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="8056c6e7-a12b-4e11-9abf-e86e7beb750f"> <IndicatorItem id="7be68113-1abe-4400-96a7-1975c65afa51" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Type" type="mir"/> <Content type="string">dll</Content> <Comment>The dll variants of this malware family all appear to have this specific resource section</Comment> </IndicatorItem> <IndicatorItem id="f6cbabdb-f0d4-4a5d-9108-a05ffd2063eb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Type" type="mir"/> <Content type="string">EXE</Content> </IndicatorItem> <Indicator operator="OR" id="7d8cae57-24b9-42f3-803d-444c67d616f7"> <IndicatorItem id="40d193f4-f81c-4284-b5b7-16fcdcaf11ed" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Name" type="mir"/> <Content type="string">111</Content> </IndicatorItem> <IndicatorItem id="467aa9b4-db05-4af3-8845-6ec7a77edf55" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/Language" type="mir"/> <Content type="string">Chinese (Simplified, PRC)</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="a513eeb4-3aef-4550-80ad-47452f11037f"> <IndicatorItem id="8c74d0c8-4c0a-4ca1-b32e-b5fb7e1f9dff" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">eventsystem.dll</Content> <Comment>describes a DLL used in the majority of DLLs instances of this family</Comment> </IndicatorItem> <IndicatorItem id="573e75c3-d30c-4c7e-9eb6-2413e7dae467" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">uninstallA</Content> </IndicatorItem> <IndicatorItem id="6490093a-f01f-46ec-966f-2a253086df2d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">installA</Content> </IndicatorItem> <IndicatorItem id="8e855941-0540-4666-91c5-cc00f590ef8f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">UninstallService</Content> </IndicatorItem> <IndicatorItem id="ac9d0ce4-ae62-4bff-8e3e-51700dbd06db" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">InstallService</Content> </IndicatorItem> <IndicatorItem id="151c88cd-5f32-4907-95e7-634e59e33c2b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">ServiceMain</Content> </IndicatorItem> <IndicatorItem id="cc5d6946-59c1-4051-b4bc-9a75a97b8ed3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">5</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-c8a6f10c-3540-45a0-a94b-c367374770a7"> <indicator:Title>COMBOS (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> The COMBOS malware family is an HTTP based backdoor. The backdoor is capable of file upload, file download, spawning a interactive reverse shell, and terminating its own process. The backdoor may decrypt stored Internet Explorer credentials from the local system and transmit the credentials to the C2 server. The COMBOS malware family does not have any persistence mechanisms built into itself. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-05197a99-e93b-4191-88a5-dec580e4a4da"/> <cybox:Observable idref="mandiant:observable-c1ac9cfc-add0-45f7-a05a-4af054cab8df"/> <cybox:Observable idref="mandiant:observable-5cfa6e43-e731-4af2-8c92-1152ba528385"/> <cybox:Observable idref="mandiant:observable-8a6328bf-7339-46ef-9f03-c4c9986717a9"/> <cybox:Observable idref="mandiant:observable-79dbd05c-02f6-461e-9354-b4da65c9ac84"/> <cybox:Observable idref="mandiant:observable-120aca89-0a54-48fb-9f61-9b27ea3127d0"/> <cybox:Observable id="mandiant:observable-afe544a8-e238-419e-bb04-f060405e57ac"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-36571da0-b86e-4a08-a614-1a209e1476f6"/> <cybox:Observable id="mandiant:observable-558b9ee5-6b0c-4040-8516-8ecd31a3428f"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-624e54dd-f951-44b0-a32d-0f34ec8f5c11"/> <cybox:Observable idref="mandiant:observable-09d87a2c-aaee-4208-9493-aa8d1b966aac"/> <cybox:Observable idref="mandiant:observable-1ee8d615-fa0e-4cd2-a197-b71a1c73811e"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-5962dbed-e8b1-4548-8056-e9f77fdcdca0"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-202bfd6a-5e2a-4282-8615-85cbb1c5e5ca"/> <cybox:Observable idref="mandiant:observable-cf4e1837-80f8-4340-a039-6112da073620"/> <cybox:Observable idref="mandiant:observable-d25ef297-186c-47aa-b8c0-08e28c0ed654"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-366d3835-9d5f-4728-98fb-ad8283baaa1f"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-6d6aeacd-647c-4b2f-8be6-b1f4480c5c39"/> <cybox:Observable idref="mandiant:observable-b2cc3245-40de-4429-8269-de0139d36ace"/> <cybox:Observable idref="mandiant:observable-f543db81-7f74-4dff-a9de-dfa1cc476800"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-f518debb-e6b5-4d2b-9f7a-b018666a4bc8"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-82d54287-8843-4d88-89a0-f561287a5568"/> <cybox:Observable idref="mandiant:observable-b5a890ba-533a-4224-844d-ed32e3daa346"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-8fa212be-4fa4-4674-bc3f-c8e8b511a2d3"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-21b92127-f165-4bfb-b8e3-63dbf7c1b7e5"/> <cybox:Observable idref="mandiant:observable-9867293c-7dc3-4c9a-8591-7dd9e2674891"/> <cybox:Observable idref="mandiant:observable-383adf55-e7d7-4a7a-9699-ae54e6598cb9"/> <cybox:Observable idref="mandiant:observable-08062389-ed83-4d0b-aacd-561f7c3fb174"/> <cybox:Observable idref="mandiant:observable-14000699-c2ad-4c6b-b094-259cd9efcbc4"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="56468547-6cf5-4c66-af56-2543d4271482" last-modified="2013-02-10T13:00:00"> <short_description>COMBOS (FAMILY)</short_description> <description>The COMBOS malware family is an HTTP based backdoor. The backdoor is capable of file upload, file download, spawning a interactive reverse shell, and terminating its own process. The backdoor may decrypt stored Internet Explorer credentials from the local system and transmit the credentials to the C2 server. The COMBOS malware family does not have any persistence mechanisms built into itself.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">COMBOS</link> </links> <definition> <Indicator operator="OR" id="c8a6f10c-3540-45a0-a94b-c367374770a7"> <IndicatorItem id="05197a99-e93b-4191-88a5-dec580e4a4da" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1e3719bbf854417384a3768e4326584b</Content> </IndicatorItem> <IndicatorItem id="c1ac9cfc-add0-45f7-a05a-4af054cab8df" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">79378e59e6a87b50b1e4e9b3db0e2a02</Content> </IndicatorItem> <IndicatorItem id="5cfa6e43-e731-4af2-8c92-1152ba528385" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fa14d823a5d1854131db0dc9eef27022</Content> </IndicatorItem> <IndicatorItem id="8a6328bf-7339-46ef-9f03-c4c9986717a9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">mypw.dll</Content> </IndicatorItem> <IndicatorItem id="e90c9230-2ede-4b5e-a4ea-0f4715ea7743" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Mode must be 0(encrypt) or 1(decrypt).</Content> </IndicatorItem> <IndicatorItem id="79dbd05c-02f6-461e-9354-b4da65c9ac84" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Name" type="mir"/> <Content type="string">IDR_DATA0</Content> </IndicatorItem> <IndicatorItem id="120aca89-0a54-48fb-9f61-9b27ea3127d0" condition="contains"> <Context document="ServiceItem" search="ServiceItem/serviceDLL" type="mir"/> <Content type="string">.det</Content> </IndicatorItem> <Indicator operator="AND" id="afe544a8-e238-419e-bb04-f060405e57ac"> <IndicatorItem id="36571da0-b86e-4a08-a614-1a209e1476f6" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <Indicator operator="OR" id="558b9ee5-6b0c-4040-8516-8ecd31a3428f"> <IndicatorItem id="624e54dd-f951-44b0-a32d-0f34ec8f5c11" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wmdmpmsnex.dll</Content> </IndicatorItem> <IndicatorItem id="09d87a2c-aaee-4208-9493-aa8d1b966aac" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">tapisrvex.dat</Content> </IndicatorItem> <IndicatorItem id="1ee8d615-fa0e-4cd2-a197-b71a1c73811e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 67% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="5962dbed-e8b1-4548-8056-e9f77fdcdca0"> <IndicatorItem id="202bfd6a-5e2a-4282-8615-85cbb1c5e5ca" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">35338</Content> </IndicatorItem> <IndicatorItem id="cf4e1837-80f8-4340-a039-6112da073620" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">77824</Content> </IndicatorItem> <IndicatorItem id="d25ef297-186c-47aa-b8c0-08e28c0ed654" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">90122</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="366d3835-9d5f-4728-98fb-ad8283baaa1f"> <IndicatorItem id="6d6aeacd-647c-4b2f-8be6-b1f4480c5c39" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-02-24T12:42:37Z</Content> </IndicatorItem> <IndicatorItem id="b2cc3245-40de-4429-8269-de0139d36ace" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-21T09:06:01Z</Content> </IndicatorItem> <IndicatorItem id="f543db81-7f74-4dff-a9de-dfa1cc476800" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-04-09T02:03:14Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="f518debb-e6b5-4d2b-9f7a-b018666a4bc8"> <IndicatorItem id="82d54287-8843-4d88-89a0-f561287a5568" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">deYT$6#</Content> </IndicatorItem> <IndicatorItem id="b5a890ba-533a-4224-844d-ed32e3daa346" condition="contains"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir"/> <Content type="string">Event</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="8fa212be-4fa4-4674-bc3f-c8e8b511a2d3"> <IndicatorItem id="21b92127-f165-4bfb-b8e3-63dbf7c1b7e5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> </IndicatorItem> <IndicatorItem id="9867293c-7dc3-4c9a-8591-7dd9e2674891" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">1</Content> </IndicatorItem> <IndicatorItem id="383adf55-e7d7-4a7a-9699-ae54e6598cb9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">ServiceMain</Content> </IndicatorItem> <IndicatorItem id="08062389-ed83-4d0b-aacd-561f7c3fb174" condition="isnot"> <Context document="FileItem" search="FileItem/PEInfo/DigitalSignature/SignatureVerified" type="mir"/> <Content type="string">false</Content> </IndicatorItem> <IndicatorItem id="14000699-c2ad-4c6b-b094-259cd9efcbc4" condition="isnot"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec1e62ef73d844c6c845acdd4c1f9ce7</Content> <Comment>PCHSVC.DLL From MSDN</Comment> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-62355460-b3c7-4135-bfc8-c6c351391786"> <indicator:Title>WEBC2-QBP (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-QBP variant will search for two strings in a HTML comment. The first will be "2010QBP " followed by " 2010QBP//--". Inside these tags will be a DES-encrypted string. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-6838ff51-0d06-4f6c-b1dd-bf99be6424cc"/> <cybox:Observable idref="mandiant:observable-42ec0996-d428-45e5-842d-b4a4c90ec92b"/> <cybox:Observable idref="mandiant:observable-43782ed2-aa44-4562-8bbb-894ac7754ffb"/> <cybox:Observable idref="mandiant:observable-e76c8a58-5483-4882-b462-ef68dbfa7717"/> <cybox:Observable idref="mandiant:observable-4f65e1f7-1c23-4f52-ac70-82a9f053a547"/> <cybox:Observable idref="mandiant:observable-a700c1db-1286-4db8-afe4-35bec86f7e81"/> <cybox:Observable idref="mandiant:observable-43e387ab-bc3c-401f-8738-17ee4fa5a15e"/> <cybox:Observable idref="mandiant:observable-5edd238d-f621-40c9-9475-89158f136bfe"/> <cybox:Observable idref="mandiant:observable-fb2b2f26-40d9-4062-b8e5-5baed8987804"/> <cybox:Observable idref="mandiant:observable-3af8775b-f6a0-4de0-aba7-d263e9f0474e"/> <cybox:Observable id="mandiant:observable-e6335af9-92ba-4fec-a18f-8a6cbf04a97d"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-9ae9e9c9-8033-466c-b037-364b5e83b40e"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-a3d25601-5606-4624-8c24-cfec2e18cd80"/> <cybox:Observable idref="mandiant:observable-d67fecea-ecc6-4c8e-9a7f-583c32567205"/> <cybox:Observable idref="mandiant:observable-22c8d8e5-9351-4dcc-a233-e4e5818b71c9"/> <cybox:Observable idref="mandiant:observable-53921f8f-35d1-4e6b-a057-ce73f4f00b8d"/> <cybox:Observable idref="mandiant:observable-cd16bfab-3bb5-400e-a9aa-d1a17338092a"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-4854f05a-7d92-4618-9f9c-17d9a78b1a6a"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-15b4eea7-c8eb-4322-8eef-75b2078392e6"/> <cybox:Observable idref="mandiant:observable-8e3c32af-c36e-4acb-b7a5-12b091950192"/> <cybox:Observable idref="mandiant:observable-c686e148-69ad-4f99-a6c3-0d36fa6b1e96"/> <cybox:Observable idref="mandiant:observable-b5004160-228e-4105-a695-1a9627476a0a"/> <cybox:Observable idref="mandiant:observable-191e83a8-0cdd-4052-a395-1cc4b3547443"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-efc388c2-d151-4d1b-9d72-a2d73690e2d1"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-8ec427c1-fa53-402e-afd9-80ab8703c845"/> <cybox:Observable idref="mandiant:observable-7a0b2648-bcf0-4ab5-a9fa-9616f684e6c7"/> <cybox:Observable idref="mandiant:observable-99dcaf40-1bb0-4883-8fab-e5ecdd8607ac"/> <cybox:Observable idref="mandiant:observable-07c5761b-2e96-415e-91d8-44fe06ac927a"/> <cybox:Observable idref="mandiant:observable-85d1a437-5e83-4906-b965-354ed4924dc3"/> <cybox:Observable idref="mandiant:observable-acf8afc7-e008-4cda-9c7e-b7446d5901ee"/> <cybox:Observable idref="mandiant:observable-d0771524-73a5-48c8-b8aa-e534cae6ab90"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-cc0811ce-4a2a-448f-85ad-7ad1d709601d"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-eaad70db-8b22-4e33-a569-d8967be53442"/> <cybox:Observable idref="mandiant:observable-e1030839-4d91-4fb5-8d1a-55aa85bb5425"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="6091c4ce-6d73-4202-a7a8-b52406fa4d77" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-QBP (FAMILY)</short_description> <description>The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-QBP variant will search for two strings in a HTML comment. The first will be "2010QBP " followed by " 2010QBP//--". Inside these tags will be a DES-encrypted string. </description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">WEBC2-QBP</link> </links> <definition> <Indicator operator="OR" id="62355460-b3c7-4135-bfc8-c6c351391786"> <IndicatorItem id="6838ff51-0d06-4f6c-b1dd-bf99be6424cc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">68e5bff12ac33ecb98977afed51ebad0</Content> </IndicatorItem> <IndicatorItem id="42ec0996-d428-45e5-842d-b4a4c90ec92b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">929802a27737cebc59d19da724fdf30a</Content> </IndicatorItem> <IndicatorItem id="43782ed2-aa44-4562-8bbb-894ac7754ffb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b9b3673a721578b230490f7dfc6df21e</Content> </IndicatorItem> <IndicatorItem id="e76c8a58-5483-4882-b462-ef68dbfa7717" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cf9c2d5a8fbdd1c5adc20cfc5e663c21</Content> </IndicatorItem> <IndicatorItem id="4f65e1f7-1c23-4f52-ac70-82a9f053a547" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c04c796ef126ad7429be7d55720fe392</Content> </IndicatorItem> <IndicatorItem id="a700c1db-1286-4db8-afe4-35bec86f7e81" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6b6c4c0e2959df248be90d89899953a9</Content> </IndicatorItem> <IndicatorItem id="43e387ab-bc3c-401f-8738-17ee4fa5a15e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5ae0efccce47ea16bcc61e4003c1c57f</Content> </IndicatorItem> <IndicatorItem id="5edd238d-f621-40c9-9475-89158f136bfe" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\Temp\~df~</Content> </IndicatorItem> <IndicatorItem id="fb2b2f26-40d9-4062-b8e5-5baed8987804" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\start menu\programs\startup\adobe_sl.exe</Content> </IndicatorItem> <IndicatorItem id="3af8775b-f6a0-4de0-aba7-d263e9f0474e" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\Temp\~hf~</Content> </IndicatorItem> <Indicator operator="AND" id="e6335af9-92ba-4fec-a18f-8a6cbf04a97d"> <Indicator operator="OR" id="9ae9e9c9-8033-466c-b037-364b5e83b40e"> <IndicatorItem id="a3d25601-5606-4624-8c24-cfec2e18cd80" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">adobe_sl.exe</Content> </IndicatorItem> <IndicatorItem id="d67fecea-ecc6-4c8e-9a7f-583c32567205" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wuauclt.exe</Content> </IndicatorItem> <IndicatorItem id="22c8d8e5-9351-4dcc-a233-e4e5818b71c9" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">spending_cutting_plan .exe</Content> </IndicatorItem> <IndicatorItem id="53921f8f-35d1-4e6b-a057-ce73f4f00b8d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">adobere.exe</Content> </IndicatorItem> <IndicatorItem id="cd16bfab-3bb5-400e-a9aa-d1a17338092a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="4854f05a-7d92-4618-9f9c-17d9a78b1a6a"> <IndicatorItem id="15b4eea7-c8eb-4322-8eef-75b2078392e6" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">300032</Content> </IndicatorItem> <IndicatorItem id="8e3c32af-c36e-4acb-b7a5-12b091950192" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">301056</Content> </IndicatorItem> <IndicatorItem id="c686e148-69ad-4f99-a6c3-0d36fa6b1e96" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">304640</Content> </IndicatorItem> <IndicatorItem id="b5004160-228e-4105-a695-1a9627476a0a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">305152</Content> </IndicatorItem> <IndicatorItem id="191e83a8-0cdd-4052-a395-1cc4b3547443" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">8704</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="efc388c2-d151-4d1b-9d72-a2d73690e2d1"> <IndicatorItem id="8ec427c1-fa53-402e-afd9-80ab8703c845" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-16T13:02:48Z</Content> </IndicatorItem> <IndicatorItem id="7a0b2648-bcf0-4ab5-a9fa-9616f684e6c7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-08-20T12:56:12Z</Content> </IndicatorItem> <IndicatorItem id="99dcaf40-1bb0-4883-8fab-e5ecdd8607ac" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-08-20T12:59:08Z</Content> </IndicatorItem> <IndicatorItem id="07c5761b-2e96-415e-91d8-44fe06ac927a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-08-20T14:06:56Z</Content> </IndicatorItem> <IndicatorItem id="85d1a437-5e83-4906-b965-354ed4924dc3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-08-24T14:13:12Z</Content> </IndicatorItem> <IndicatorItem id="acf8afc7-e008-4cda-9c7e-b7446d5901ee" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-10-16T09:32:33Z</Content> </IndicatorItem> <IndicatorItem id="d0771524-73a5-48c8-b8aa-e534cae6ab90" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-16T13:02:51Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="cc0811ce-4a2a-448f-85ad-7ad1d709601d"> <IndicatorItem id="eaad70db-8b22-4e33-a569-d8967be53442" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">\Software\Microsoft\Windows\CurrrentVersion\Run\AutoUpdate</Content> </IndicatorItem> <IndicatorItem id="e1030839-4d91-4fb5-8d1a-55aa85bb5425" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">wuauclt.exe</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="d2ba2c8f-6391-43e7-8ac3-1c062e825c9e"> <IndicatorItem id="ef23eeb6-2f05-4329-9ddd-df6905927e44" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">2010QBP</Content> </IndicatorItem> <IndicatorItem id="cb054d07-98f6-41fa-8b28-1a6fcc245198" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">H_ctitrIei</Content> </IndicatorItem> <IndicatorItem id="b8a09378-c489-45b1-9326-ba5efe16f2cf" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">LOeFlAL3.l</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-8dcc62d5-e91a-4cde-bc28-121d6f25a7d3"> <indicator:Title>MAPIGET (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Utility</indicator:Type> <indicator:Description> This malware utility is a set of two files that operate in conjunction to extract email messages and attachments from an Exchange server. In order to operate successfully, these programs require authentication credentials for a user on the Exchange server, and must be run from a machine joined to the domain that has Microsoft Outlook installed (or equivalent software that provides the Microsoft 'Messaging API' (MAPI) service). </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-9ba41a9d-b15f-41ff-adf8-f66b6de632ce"/> <cybox:Observable idref="mandiant:observable-e5511631-bcd7-48ea-90e9-b57607379c15"/> <cybox:Observable id="mandiant:observable-94cc1d48-9385-477f-8e5b-36db6379107f"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-a72d2656-832d-472f-958f-53af8770f9d7"/> <cybox:Observable idref="mandiant:observable-321f6986-5f70-4f5a-a4f4-c230a3e5f6a3"/> <cybox:Observable idref="mandiant:observable-d8cd2cb3-8ac3-422f-a602-53e3e5f03603"/> <cybox:Observable id="mandiant:observable-f315fde3-27ae-4210-9a22-3b2b85fe2df4"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-c1199dd1-0a29-42aa-9575-f2f2d8152e3e"/> <cybox:Observable idref="mandiant:observable-427148fb-ede2-44b6-87f5-5ccecae64ea8"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-c0fc3348-b95e-4b78-b17e-8e07eb8986ad"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-08a890c5-8244-43a2-9cfd-8b5dfe8e2375"/> <cybox:Observable idref="mandiant:observable-5b7933a2-322b-4683-af99-fc2e3670affc"/> <cybox:Observable idref="mandiant:observable-0797d25a-bfbe-4b97-98ff-e010d22c3f50"/> <cybox:Observable idref="mandiant:observable-dbc4b449-35db-457f-b9ee-ffded2fd7839"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="61695156-298c-4d77-ad7f-48feb562fb75" last-modified="2013-02-10T13:00:00"> <short_description>MAPIGET (FAMILY)</short_description> <description>This malware utility is a set of two files that operate in conjunction to extract email messages and attachments from an Exchange server. In order to operate successfully, these programs require authentication credentials for a user on the Exchange server, and must be run from a machine joined to the domain that has Microsoft Outlook installed (or equivalent software that provides the Microsoft 'Messaging API' (MAPI) service).</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">MAPIGET</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Utility</link> </links> <definition> <Indicator operator="OR" id="8dcc62d5-e91a-4cde-bc28-121d6f25a7d3"> <IndicatorItem id="9ba41a9d-b15f-41ff-adf8-f66b6de632ce" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c627e595c9ec6dc2199447aeab59ac03</Content> <Comment>mapiget.exe</Comment> </IndicatorItem> <IndicatorItem id="e5511631-bcd7-48ea-90e9-b57607379c15" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f3c6c797ef80787e6cbeeaa77496a3cb</Content> <Comment>mapi.exe</Comment> </IndicatorItem> <Indicator operator="AND" id="94cc1d48-9385-477f-8e5b-36db6379107f"> <IndicatorItem id="a72d2656-832d-472f-958f-53af8770f9d7" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">227840</Content> </IndicatorItem> <IndicatorItem id="321f6986-5f70-4f5a-a4f4-c230a3e5f6a3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2006-10-12T02:38:59Z</Content> </IndicatorItem> <IndicatorItem id="d8cd2cb3-8ac3-422f-a602-53e3e5f03603" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <Indicator operator="OR" id="f315fde3-27ae-4210-9a22-3b2b85fe2df4"> <IndicatorItem id="c1199dd1-0a29-42aa-9575-f2f2d8152e3e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">m1.exe</Content> </IndicatorItem> <IndicatorItem id="427148fb-ede2-44b6-87f5-5ccecae64ea8" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">mapi.exe</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="c0fc3348-b95e-4b78-b17e-8e07eb8986ad"> <IndicatorItem id="08a890c5-8244-43a2-9cfd-8b5dfe8e2375" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">mapiget.exe</Content> </IndicatorItem> <IndicatorItem id="5b7933a2-322b-4683-af99-fc2e3670affc" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">62976</Content> </IndicatorItem> <IndicatorItem id="0797d25a-bfbe-4b97-98ff-e010d22c3f50" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2006-10-12T00:34:06Z</Content> </IndicatorItem> <IndicatorItem id="dbc4b449-35db-457f-b9ee-ffded2fd7839" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-1922d28b-6257-4f14-9988-00c906c1274f"> <indicator:Title>CALENDAR (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> This family of malware uses Google Calendar to retrieve commands and send results. It retrieves event feeds associated with Google Calendar, where each event contains commands from the attacker for the malware to perform. Results are posted back to the event feed. The malware authenticates with Google using the hard coded email address and passwords. The malware uses the deprecated ClientLogin authentication API from Google. The malware is registered as a service dll as a persistence mechanism. Artifacts of this may be found in the registry. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-3fc7e909-fdbf-4f07-80c8-434d6871b063"/> <cybox:Observable idref="mandiant:observable-78e55482-13b7-4d7e-be88-8c791471e3c3"/> <cybox:Observable idref="mandiant:observable-ae170f81-a81d-487c-8b04-c07883528123"/> <cybox:Observable id="mandiant:observable-2a34f6c7-ea26-4b4e-b369-017f76f576a9"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-2d9481cf-e87f-4e09-9e22-9b035865e6ed"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-ac70add4-d1a8-4afd-a0d1-a853cc3b0621"/> <cybox:Observable idref="mandiant:observable-e20bf836-d1cc-4bc5-809d-56fae5cc3750"/> <cybox:Observable idref="mandiant:observable-f519fe0d-64a8-4e78-b7ce-b61e21d8e142"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-ab5915ea-a124-4549-b0d2-64d1bb174555"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-408e3371-1e28-4c70-ae9e-22346bff725d"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-a5fd6966-5764-4006-bf9a-ff3c7840a7c4"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-6680c8c8-94b8-4726-b044-276122132188"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-07ccee9e-57b5-4d9e-993d-4a07d847a083"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-3a43b6c8-25ec-40c6-a371-527dc3f09157"/> <cybox:Observable idref="mandiant:observable-7d448a24-25a1-481a-85bc-a31f68d1f541"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-5c95001f-5486-48f3-a414-64afa27bb840"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-3601a1b3-1400-4eb3-84f4-2fab1cecd8f9"/> <cybox:Observable idref="mandiant:observable-37bb84d7-4b82-4d1a-9d0c-14870b79f506"/> <cybox:Observable idref="mandiant:observable-16eee0ce-73c8-4a63-a534-5b06963450ad"/> <cybox:Observable idref="mandiant:observable-b3f26321-571e-421e-862f-d418e19bafa8"/> <cybox:Observable idref="mandiant:observable-a1adc445-7f63-4f5d-8b07-06e550d8ddeb"/> <cybox:Observable idref="mandiant:observable-2d25335e-80b3-4b05-bf29-cd4051d2d9ce"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-f5887104-d40d-40d1-b9e9-3bb502082040"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-0299307f-b6d6-4e33-90c8-640699ab078b"/> <cybox:Observable idref="mandiant:observable-63f8cb7f-2bb6-41a0-a20e-cb65b7df03e3"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="6bd24113-2922-4d25-b490-f727f47ba948" last-modified="2013-02-10T13:00:00"> <short_description>CALENDAR (FAMILY)</short_description> <description>This family of malware uses Google Calendar to retrieve commands and send results. It retrieves event feeds associated with Google Calendar, where each event contains commands from the attacker for the malware to perform. Results are posted back to the event feed. The malware authenticates with Google using the hard coded email address and passwords. The malware uses the deprecated ClientLogin authentication API from Google. The malware is registered as a service dll as a persistence mechanism. Artifacts of this may be found in the registry.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">CALENDAR</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="1922d28b-6257-4f14-9988-00c906c1274f"> <IndicatorItem id="3fc7e909-fdbf-4f07-80c8-434d6871b063" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cf37875adf10fb56c7c6edf86f2b3438</Content> </IndicatorItem> <IndicatorItem id="78e55482-13b7-4d7e-be88-8c791471e3c3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7bea48f1f08e2677df168e0bbe9f19ac</Content> </IndicatorItem> <IndicatorItem id="ae170f81-a81d-487c-8b04-c07883528123" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">16c390a32f9a60bf50396fc86aea0f9d</Content> </IndicatorItem> <IndicatorItem id="ca3be3b7-7846-404d-ac36-801cd4e7c21d" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">AFX_Ideas_H</Content> <Comment>unique string used in mutexes seen in this family of malware</Comment> </IndicatorItem> <Indicator operator="AND" id="2a34f6c7-ea26-4b4e-b369-017f76f576a9"> <Indicator operator="OR" id="2d9481cf-e87f-4e09-9e22-9b035865e6ed"> <IndicatorItem id="ac70add4-d1a8-4afd-a0d1-a853cc3b0621" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wmdmpmsn.dll</Content> </IndicatorItem> <IndicatorItem id="e20bf836-d1cc-4bc5-809d-56fae5cc3750" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">rasautoe.dll</Content> </IndicatorItem> <IndicatorItem id="f519fe0d-64a8-4e78-b7ce-b61e21d8e142" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_mismatch</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="ab5915ea-a124-4549-b0d2-64d1bb174555"> <IndicatorItem id="408e3371-1e28-4c70-ae9e-22346bff725d" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">142848</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="a5fd6966-5764-4006-bf9a-ff3c7840a7c4"> <IndicatorItem id="6680c8c8-94b8-4726-b044-276122132188" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-02-15T13:49:01Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="07ccee9e-57b5-4d9e-993d-4a07d847a083"> <IndicatorItem id="3a43b6c8-25ec-40c6-a371-527dc3f09157" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir"/> <Content type="string">Mutant</Content> </IndicatorItem> <IndicatorItem id="7d448a24-25a1-481a-85bc-a31f68d1f541" condition="contains"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">AFX_Ideas_H</Content> <Comment>constant string found in a created by the malware</Comment> </IndicatorItem> </Indicator> <Indicator operator="AND" id="5c95001f-5486-48f3-a414-64afa27bb840"> <IndicatorItem id="3601a1b3-1400-4eb3-84f4-2fab1cecd8f9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">ServiceAutoRun.dll</Content> <Comment>dll export name included in this malware</Comment> </IndicatorItem> <IndicatorItem id="37bb84d7-4b82-4d1a-9d0c-14870b79f506" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">ServiceMain</Content> </IndicatorItem> <IndicatorItem id="16eee0ce-73c8-4a63-a534-5b06963450ad" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">install</Content> </IndicatorItem> <IndicatorItem id="b3f26321-571e-421e-862f-d418e19bafa8" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">installservice</Content> </IndicatorItem> <IndicatorItem id="a1adc445-7f63-4f5d-8b07-06e550d8ddeb" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">uninstall</Content> </IndicatorItem> <IndicatorItem id="2d25335e-80b3-4b05-bf29-cd4051d2d9ce" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">4</Content> <Comment>fixed set of exports for this family of malware</Comment> </IndicatorItem> </Indicator> <Indicator operator="AND" id="f5887104-d40d-40d1-b9e9-3bb502082040"> <IndicatorItem id="0299307f-b6d6-4e33-90c8-640699ab078b" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">system\currentcontrolset\services</Content> <Comment>part of registry string for service created by replacing a service DLL</Comment> </IndicatorItem> <IndicatorItem id="63f8cb7f-2bb6-41a0-a20e-cb65b7df03e3" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">parameters\servicedllold</Content> <Comment>part of registry string for service created by replacing a service DLL</Comment> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-8b34f3bd-8176-4e33-a4ca-6b9970c2be2e"> <indicator:Title>WEBC2-Y21K (FAMILY)</indicator:Title> <indicator:Description> A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of backdoor malware talk to specific Web-based Command & Control (C2) servers. The backdoor has a limited command set, depending on version. It is primarily a downloader, but it classified as a backdoor because it can accept a limited command set, including changing local directories, downloading and executing additional files, sleeping, and connecting to a specific IP & port not initially included in the instruction set for the malware. Each version of the malware has at least one hardcoded URL to which it connects to receive its initial commands. This family of malware installs itself as a service, with the malware either being the executable run by the service, or the service DLL loaded by a legitimate service. The same core code is seen recompiled on different dates or with different names, but the same functionality. Key signatures include a specific set of functions (some of which can be used with the OS-provided rundll32.exe tool to install the malware as a service), and hardcoded strings used in communication with C2 servers to issue commands to the implant. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-bcee073b-2aa0-446d-9df3-2e60dc1ec4e1"/> <cybox:Observable idref="mandiant:observable-f784a8db-f918-4317-9ca8-b727d45a1f02"/> <cybox:Observable idref="mandiant:observable-ab1f1988-84f0-435c-9705-e2560fc15178"/> <cybox:Observable idref="mandiant:observable-d1a3937b-b842-4bd0-b440-10933e38cf51"/> <cybox:Observable idref="mandiant:observable-bf1e5c90-7411-4cf1-952d-3cb8957edcaa"/> <cybox:Observable idref="mandiant:observable-65958046-17f0-4020-ac0d-cfb3f162e6dd"/> <cybox:Observable idref="mandiant:observable-58f61fa4-27b6-41c2-85a9-fcf42ff1d4d1"/> <cybox:Observable idref="mandiant:observable-f9e23c6a-6d57-4454-988d-6277c01b9da2"/> <cybox:Observable idref="mandiant:observable-73064b86-b3bf-4e8f-ac8c-4328cfe8e27a"/> <cybox:Observable idref="mandiant:observable-c16f0c10-cbcd-4887-962c-9f69203e2464"/> <cybox:Observable idref="mandiant:observable-ffdd76fa-2a4f-4c64-8567-d34437fc95b8"/> <cybox:Observable idref="mandiant:observable-f6abf31b-046c-4b97-8a2c-e2730c5d1c02"/> <cybox:Observable idref="mandiant:observable-7b73a5da-b774-43e1-9009-3ac306998c40"/> <cybox:Observable idref="mandiant:observable-d621b0bb-3752-4bbd-8cf1-e02f28359314"/> <cybox:Observable idref="mandiant:observable-b36c8593-4b41-46b3-90a9-ff2c856869c1"/> <cybox:Observable idref="mandiant:observable-b8ff6f03-aa00-4b25-8f74-251af63ef7a4"/> <cybox:Observable idref="mandiant:observable-cb0e98b4-0169-4058-9541-edcdbead06ae"/> <cybox:Observable idref="mandiant:observable-af556b1d-78d1-4740-92ac-4a5fe8723a74"/> <cybox:Observable idref="mandiant:observable-6d5e4516-3d05-4ba0-934a-6b080110fd1b"/> <cybox:Observable idref="mandiant:observable-ca304672-8046-4f3b-a033-d38d845f6714"/> <cybox:Observable idref="mandiant:observable-6cdcf31b-efe4-4b9c-90cd-87761deabcc0"/> <cybox:Observable idref="mandiant:observable-3e2422bd-fd0c-4575-aec9-5a4c0e6d8f84"/> <cybox:Observable idref="mandiant:observable-e559a0ff-4275-48da-bb2f-d90a0d75d0cf"/> <cybox:Observable idref="mandiant:observable-ac310004-4ceb-41db-8f7f-8ea4700923df"/> <cybox:Observable idref="mandiant:observable-9c209bb5-f2ab-44f3-a518-f89763c9b66a"/> <cybox:Observable idref="mandiant:observable-7ad0528d-91d9-40e7-8d01-920ca28cc8b6"/> <cybox:Observable idref="mandiant:observable-456edb39-0d5c-4adc-ba8b-278d7bed0cad"/> <cybox:Observable idref="mandiant:observable-c29c9ebe-4506-456b-8ffc-3d2cbe4a5e36"/> <cybox:Observable idref="mandiant:observable-b2b647cc-befe-4a2d-82a9-64b5518b78fa"/> <cybox:Observable idref="mandiant:observable-4de9455d-b4f8-4fbe-b706-101511d6adb0"/> <cybox:Observable idref="mandiant:observable-b2cf2de9-b2e6-478e-8260-696c07f7c858"/> <cybox:Observable idref="mandiant:observable-07acd0ad-effe-40c1-9143-b59ee65cdc82"/> <cybox:Observable idref="mandiant:observable-61ab04b2-835a-49e1-b48f-f2892a364a70"/> <cybox:Observable idref="mandiant:observable-3bfabbc3-2613-4e70-9864-55928eff4046"/> <cybox:Observable idref="mandiant:observable-ece468aa-3ae7-41e2-b655-82c9bf7ae315"/> <cybox:Observable idref="mandiant:observable-09c0befb-e39d-4ce5-9598-b079759eb60e"/> <cybox:Observable idref="mandiant:observable-461423f7-2d3d-487b-a28e-f809412cc841"/> <cybox:Observable idref="mandiant:observable-f3c52374-9e6e-4d0a-8eb5-0f8b0bf2b600"/> <cybox:Observable idref="mandiant:observable-de464108-ff1b-43e1-9a9d-a2fa3a0cc48c"/> <cybox:Observable idref="mandiant:observable-9b46173f-f99b-4fd4-9ede-672d412f9274"/> <cybox:Observable idref="mandiant:observable-37f16d0e-697d-482d-bf13-2f747f849b54"/> <cybox:Observable id="mandiant:observable-c2bcfa4f-54eb-4c50-8389-fc8f178467db"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-7314929d-e4d9-4b73-9093-68b35423ca36"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-d0c8e2c2-cf76-44dd-afb1-fcb042e5b830"/> <cybox:Observable idref="mandiant:observable-099663c2-ecb6-492d-8fa3-5868277c0ce5"/> <cybox:Observable idref="mandiant:observable-d9b5ddbb-4673-4a2f-855a-65e4a56ca940"/> <cybox:Observable idref="mandiant:observable-fa82306a-4865-4811-bf4b-8b8dab22ba04"/> <cybox:Observable idref="mandiant:observable-2a7e7340-2701-4635-90ae-335593798d87"/> <cybox:Observable idref="mandiant:observable-f9da710e-16aa-4155-9649-7138eb6f706d"/> <cybox:Observable idref="mandiant:observable-5efbf792-7229-451f-bef1-3580de79d99f"/> <cybox:Observable idref="mandiant:observable-bff734c9-fc24-4a98-bfa9-97aba5a23ab7"/> <cybox:Observable idref="mandiant:observable-11613394-2a83-4e3e-a371-1a5209c2545a"/> <cybox:Observable idref="mandiant:observable-8e305cdc-46cb-49af-9072-e1687ecd6535"/> <cybox:Observable idref="mandiant:observable-6ddc8685-a57c-47ee-88a9-9d6caf2ef3a9"/> <cybox:Observable idref="mandiant:observable-e272e639-d854-48b1-85b4-729d1f3412e1"/> <cybox:Observable idref="mandiant:observable-cc9bb9f9-a23b-4515-8335-21cf84d3144e"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-5ed4a9a9-45dc-439c-8f4d-51a24d646a97"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-f5fc9e99-316c-4ae8-8f3e-84772f78898f"/> <cybox:Observable idref="mandiant:observable-b829355c-8ac2-4229-8880-922a66ffa047"/> <cybox:Observable idref="mandiant:observable-7a99942e-d13d-47ef-8ffc-61f123f8a5dc"/> <cybox:Observable idref="mandiant:observable-dd7dbf24-1aa2-4191-81eb-a0021aa207d7"/> <cybox:Observable idref="mandiant:observable-87dc59c7-5a89-4076-acc5-efe198b49386"/> <cybox:Observable idref="mandiant:observable-7dd519d0-093f-407f-b464-ac494065beed"/> <cybox:Observable idref="mandiant:observable-1f2ecedb-7b3b-4f93-b15a-34019332a313"/> <cybox:Observable idref="mandiant:observable-d19ffaa5-d99d-45e7-85cf-f4faf0608147"/> <cybox:Observable idref="mandiant:observable-165af123-f86a-46fd-97d9-52291b7d5017"/> <cybox:Observable idref="mandiant:observable-d8dc58d8-bf6d-4001-bd27-075dafdc0459"/> <cybox:Observable idref="mandiant:observable-24a7c3af-87f9-4924-8e72-6a42a3b805fa"/> <cybox:Observable idref="mandiant:observable-93015983-823d-43d8-85a7-fb8fa98cf7aa"/> <cybox:Observable idref="mandiant:observable-140916f8-ff79-4551-8961-8e859cbebd84"/> <cybox:Observable idref="mandiant:observable-c828af97-234b-4fd9-9798-904962074ee4"/> <cybox:Observable idref="mandiant:observable-32ee351e-454d-418c-98e8-9b7d8ef8127c"/> <cybox:Observable idref="mandiant:observable-f963988d-2e86-4acb-a573-a4e762417934"/> <cybox:Observable idref="mandiant:observable-cbd3d3bd-d8db-444c-9269-7d6b3251ed0b"/> <cybox:Observable idref="mandiant:observable-a0383e59-8359-47bf-94ab-186146bf6607"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-1fe25ac0-81b5-4b0e-861f-0193b116f13b"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-261f110d-fa04-4ed1-95e8-8c90ff010652"/> <cybox:Observable idref="mandiant:observable-2ed2480e-1ba5-4fcb-a039-c0ded1145a0d"/> <cybox:Observable idref="mandiant:observable-0d2e918e-637b-4abe-ab70-a8e9203bf4fa"/> <cybox:Observable idref="mandiant:observable-a0b7a583-c221-4133-8b05-bdf11fe9c3fd"/> <cybox:Observable idref="mandiant:observable-cbcf3f56-bf7a-4f53-8ca3-3e7a8d39b3e1"/> <cybox:Observable idref="mandiant:observable-68b40394-3e93-4d71-9d7e-e893d61f9a1e"/> <cybox:Observable idref="mandiant:observable-de395497-eabf-4d17-bbc4-344546d92bf4"/> <cybox:Observable idref="mandiant:observable-412dc589-3186-41a7-acbb-fe76f1af2e84"/> <cybox:Observable idref="mandiant:observable-6ba4376b-78a3-4f87-96fd-9a5adda26d63"/> <cybox:Observable idref="mandiant:observable-96c5afb9-5e53-4cf6-a9b3-7a75bd7ff859"/> <cybox:Observable idref="mandiant:observable-a2b9fb4d-e28f-43b7-93fc-ddc855e8399f"/> <cybox:Observable idref="mandiant:observable-a7f057f3-97a1-4c7a-8168-28102a68bf9c"/> <cybox:Observable idref="mandiant:observable-1241a277-5fff-4d2e-8805-e71ea2ab1a4f"/> <cybox:Observable idref="mandiant:observable-d0079169-d149-404e-84a9-a02387d18b37"/> <cybox:Observable idref="mandiant:observable-bca5a60c-0b21-42f4-94ba-213bc4bd0edc"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-8c2dff0f-f02a-4caf-9c62-4f5bade91842"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-1e89cfa2-ffe7-46cc-9b04-abf39ef5adfa"/> <cybox:Observable idref="mandiant:observable-f99ef512-181c-4b98-8bbd-7331b16951e8"/> <cybox:Observable idref="mandiant:observable-b657df39-9a41-4886-8f41-4bf19c8e1aaa"/> <cybox:Observable idref="mandiant:observable-ea45b183-0aed-4345-b536-d87a43145beb"/> <cybox:Observable idref="mandiant:observable-8047965d-a942-4e6d-b51e-33dffb2e0bcd"/> <cybox:Observable idref="mandiant:observable-55ab17de-e022-4a7d-96cd-98b1e6c2aa49"/> <cybox:Observable id="mandiant:observable-2d1afc0b-f072-4c12-9127-3cccad1400f8"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-d6f80663-1fa7-4e9f-aa16-f02dbdc363df"/> <cybox:Observable idref="mandiant:observable-bdbac1c0-2d8b-4714-8757-2e3f82cd17c4"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="70b5be0c-8a94-44b4-97a4-1e95b09498a8" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-Y21K (FAMILY)</short_description> <description>A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of backdoor malware talk to specific Web-based Command & Control (C2) servers. The backdoor has a limited command set, depending on version. It is primarily a downloader, but it classified as a backdoor because it can accept a limited command set, including changing local directories, downloading and executing additional files, sleeping, and connecting to a specific IP & port not initially included in the instruction set for the malware. Each version of the malware has at least one hardcoded URL to which it connects to receive its initial commands. This family of malware installs itself as a service, with the malware either being the executable run by the service, or the service DLL loaded by a legitimate service. The same core code is seen recompiled on different dates or with different names, but the same functionality. Key signatures include a specific set of functions (some of which can be used with the OS-provided rundll32.exe tool to install the malware as a service), and hardcoded strings used in communication with C2 servers to issue commands to the implant.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">WEBC2-Y21K</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="capability">DOWNLOADER</link> </links> <definition> <Indicator operator="OR" id="8b34f3bd-8176-4e33-a4ca-6b9970c2be2e"> <IndicatorItem id="bcee073b-2aa0-446d-9df3-2e60dc1ec4e1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0df42947e167cd006b176d305c08d57e</Content> <Comment>hash for binary microsoft.dll</Comment> </IndicatorItem> <IndicatorItem id="f784a8db-f918-4317-9ca8-b727d45a1f02" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">024fd07dbdacc7da227bede3449c2b6a</Content> <Comment>hash for binary eventsystem.dll</Comment> </IndicatorItem> <IndicatorItem id="ab1f1988-84f0-435c-9705-e2560fc15178" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0fed203f3df6a82c9124f24aa3d9d75d</Content> <Comment>hash for binary Nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="d1a3937b-b842-4bd0-b440-10933e38cf51" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1f9b32bac55ba4c015181ebf55767752</Content> <Comment>hash for binary svchost.exe</Comment> </IndicatorItem> <IndicatorItem id="bf1e5c90-7411-4cf1-952d-3cb8957edcaa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">225e33508861984dd2a774760bfdfc52</Content> <Comment>hash for binary iexplore.exe</Comment> </IndicatorItem> <IndicatorItem id="65958046-17f0-4020-ac0d-cfb3f162e6dd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2479a9a50308cb72fcd5e4e18ef06468</Content> <Comment>hash for binary eventsystem.dll</Comment> </IndicatorItem> <IndicatorItem id="58f61fa4-27b6-41c2-85a9-fcf42ff1d4d1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">255cd53f9bdb6f3755e621885cb34382</Content> <Comment>hash for binary Nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="f9e23c6a-6d57-4454-988d-6277c01b9da2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">28dbd86bd86eb9153ecb20d883c41ae0</Content> <Comment>hash for binary Nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="73064b86-b3bf-4e8f-ac8c-4328cfe8e27a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">335df3ffb8cee61c20ab91a401204df4</Content> <Comment>hash for binary svchost.exe</Comment> </IndicatorItem> <IndicatorItem id="c16f0c10-cbcd-4887-962c-9f69203e2464" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3d0c1dc5ac55f6d0e6b7fabfeb5158f5</Content> <Comment>hash for binary Nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="ffdd76fa-2a4f-4c64-8567-d34437fc95b8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">456d298649a7ec31a7250ed9312ebbaf</Content> <Comment>hash for binary wauserv.dll</Comment> </IndicatorItem> <IndicatorItem id="f6abf31b-046c-4b97-8a2c-e2730c5d1c02" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4cabfaef26fd8e5aec01d0c4b90a32f3</Content> <Comment>hash for binary IPRIPP.DLL</Comment> </IndicatorItem> <IndicatorItem id="7b73a5da-b774-43e1-9009-3ac306998c40" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4cd3bed14aaffcf61f4d2948484c4c90</Content> <Comment>hash for binary vediosrv.dll</Comment> </IndicatorItem> <IndicatorItem id="d621b0bb-3752-4bbd-8cf1-e02f28359314" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5613e6d7111b327307c02bec1701ac3f</Content> <Comment>hash for binary iexplore.exe</Comment> </IndicatorItem> <IndicatorItem id="b36c8593-4b41-46b3-90a9-ff2c856869c1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">580a4c05982accc678a72c366b45815d</Content> <Comment>hash for binary iexplore.exe</Comment> </IndicatorItem> <IndicatorItem id="b8ff6f03-aa00-4b25-8f74-251af63ef7a4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6461ea41f179e660c40ed65aee1a4a2d</Content> <Comment>hash for binary svchost.exe</Comment> </IndicatorItem> <IndicatorItem id="cb0e98b4-0169-4058-9541-edcdbead06ae" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6510cee34da30c7ef5e5e39980402257</Content> <Comment>hash for binary ersv.dll</Comment> </IndicatorItem> <IndicatorItem id="af556b1d-78d1-4740-92ac-4a5fe8723a74" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">69dc1e1ee273e531e91c60eb86396cc8</Content> <Comment>hash for binary svchost.exe</Comment> </IndicatorItem> <IndicatorItem id="6d5e4516-3d05-4ba0-934a-6b080110fd1b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">75372eb37415140fa5464f1ebb8a0e74</Content> <Comment>hash for binary ersv.dll</Comment> </IndicatorItem> <IndicatorItem id="ca304672-8046-4f3b-a033-d38d845f6714" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">69dc1e1ee273e531e91c60eb86396cc8</Content> <Comment>hash for binary svchost.exe</Comment> </IndicatorItem> <IndicatorItem id="6cdcf31b-efe4-4b9c-90cd-87761deabcc0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">75372eb37415140fa5464f1ebb8a0e74</Content> <Comment>hash for binary ersv.dll</Comment> </IndicatorItem> <IndicatorItem id="3e2422bd-fd0c-4575-aec9-5a4c0e6d8f84" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8c57b287a1d2140ccedd6cd097d62ded</Content> <Comment>hash for binary eventsystem.dll</Comment> </IndicatorItem> <IndicatorItem id="e559a0ff-4275-48da-bb2f-d90a0d75d0cf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9548e5ed4fbacd0ed4a9d6a27f5d8fec</Content> <Comment>hash for binary Nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="ac310004-4ceb-41db-8f7f-8ea4700923df" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">97c83d85bd76a38b13cea960a1a97f70</Content> <Comment>hash for binary svchost.exe</Comment> </IndicatorItem> <IndicatorItem id="9c209bb5-f2ab-44f3-a518-f89763c9b66a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">99882234b814b860a22b4d441b92fd82</Content> <Comment>hash for binary eventsystem.exe</Comment> </IndicatorItem> <IndicatorItem id="7ad0528d-91d9-40e7-8d01-920ca28cc8b6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a360b16c19ab9dea6763f777257c5f38</Content> <Comment>hash for binary nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="456edb39-0d5c-4adc-ba8b-278d7bed0cad" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">abff707cb54a6e5a9fcbb3fef74dbddc</Content> <Comment>hash for binary Nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="c29c9ebe-4506-456b-8ffc-3d2cbe4a5e36" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">adb2fc194b960e694aa450161f1df6fc</Content> <Comment>hash for binary eventsystem.dll</Comment> </IndicatorItem> <IndicatorItem id="b2b647cc-befe-4a2d-82a9-64b5518b78fa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b36168ea438520875c621f5603db003f</Content> <Comment>hash for binary iexplore.exe</Comment> </IndicatorItem> <IndicatorItem id="4de9455d-b4f8-4fbe-b706-101511d6adb0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b7dba6184f07b1e824362a2307d91ae2</Content> <Comment>hash for binary Nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="b2cf2de9-b2e6-478e-8260-696c07f7c858" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bfcae0468de0c7bcf92e9989589082f1</Content> <Comment>hash for binary Nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="07acd0ad-effe-40c1-9143-b59ee65cdc82" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c425b8782075da33cba5aae5ad612582</Content> <Comment>hash for binary Nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="61ab04b2-835a-49e1-b48f-f2892a364a70" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cfc6112254a69030521d0d2bba152d4d</Content> <Comment>hash for binary lao.exe</Comment> </IndicatorItem> <IndicatorItem id="3bfabbc3-2613-4e70-9864-55928eff4046" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cfce9478c880934b3548c3022a956e14</Content> <Comment>hash for binary nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="ece468aa-3ae7-41e2-b655-82c9bf7ae315" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d60ee4a39667a733c075bb7f7b36285a</Content> <Comment>hash for binary n.dll</Comment> </IndicatorItem> <IndicatorItem id="09c0befb-e39d-4ce5-9598-b079759eb60e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">da5ff7927d608d7ccc7495939d457bd3</Content> <Comment>hash for binary svchost.exe</Comment> </IndicatorItem> <IndicatorItem id="461423f7-2d3d-487b-a28e-f809412cc841" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea8b6c2c083d6b7b2b6ebc015b0488ca</Content> <Comment>hash for binary Nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="f3c52374-9e6e-4d0a-8eb5-0f8b0bf2b600" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f3b54c188185ee0921848b3a6ad4751e</Content> <Comment>hash for binary esrv.dll</Comment> </IndicatorItem> <IndicatorItem id="de464108-ff1b-43e1-9a9d-a2fa3a0cc48c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fade2270a6c7cb47893ac600a9a0509f</Content> <Comment>hash for binary Nwsapagent.dll</Comment> </IndicatorItem> <IndicatorItem id="9b46173f-f99b-4fd4-9ede-672d412f9274" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fefa3638e4d6f2e00b5194ae3fa0c931</Content> <Comment>hash for binary nws.dll</Comment> </IndicatorItem> <IndicatorItem id="b5795414-e372-4da3-94aa-4ae16befd887" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Y29ubmVjdA==</Content> <Comment>embedded string used for C2 commands</Comment> </IndicatorItem> <IndicatorItem id="106b394a-e59f-4daf-ad84-cc35f29be9e1" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">cXVpdA==</Content> <Comment>embedded string used for C2 commands</Comment> </IndicatorItem> <IndicatorItem id="79272b97-dccb-4404-a934-ba3e87f7853c" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">dW5zdXBwb3J0</Content> <Comment>embedded string used for C2 commands</Comment> </IndicatorItem> <IndicatorItem id="e716cc95-d02b-40aa-b394-0aeccec1836e" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">c2xlZXA=</Content> <Comment>embedded string used for C2 commands</Comment> </IndicatorItem> <IndicatorItem id="27f1a630-b4fc-469a-9b99-f46e7dfbf821" condition="is"> <Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir"/> <Content type="string">Intranet Network Awareness (COM+)</Content> <Comment>The malware often creates a service entry with consistent text in the description fields.</Comment> </IndicatorItem> <IndicatorItem id="37f16d0e-697d-482d-bf13-2f747f849b54" condition="is"> <Context document="ServiceItem" search="ServiceItem/description" type="mir"/> <Content type="string">Depends COM+, Collects and stores network configuration and location information, and notifies applications when this information changes.</Content> <Comment>The malware often creates a service entry with consistent text in the description fields.</Comment> </IndicatorItem> <Indicator operator="AND" id="c2bcfa4f-54eb-4c50-8389-fc8f178467db"> <Indicator operator="OR" id="7314929d-e4d9-4b73-9093-68b35423ca36"> <IndicatorItem id="d0c8e2c2-cf76-44dd-afb1-fcb042e5b830" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">9728</Content> <Comment>024fd07dbdacc7da227bede3449c2b6a 456d298649a7ec31a7250ed9312ebbaf 8c57b287a1d2140ccedd6cd097d62ded adb2fc194b960e694aa450161f1df6fc</Comment> </IndicatorItem> <IndicatorItem id="099663c2-ecb6-492d-8fa3-5868277c0ce5" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">10752</Content> <Comment>0df42947e167cd006b176d305c08d57e</Comment> </IndicatorItem> <IndicatorItem id="d9b5ddbb-4673-4a2f-855a-65e4a56ca940" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">13824</Content> <Comment>0fed203f3df6a82c9124f24aa3d9d75d 255cd53f9bdb6f3755e621885cb34382 3d0c1dc5ac55f6d0e6b7fabfeb5158f5 a360b16c19ab9dea6763f777257c5f38 abff707cb54a6e5a9fcbb3fef74dbddc b7dba6184f07b1e824362a2307d91ae2 d60ee4a39667a733c075bb7f7b36285a</Comment> </IndicatorItem> <IndicatorItem id="fa82306a-4865-4811-bf4b-8b8dab22ba04" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">5632</Content> <Comment>6461ea41f179e660c40ed65aee1a4a2d da5ff7927d608d7ccc7495939d457bd3</Comment> </IndicatorItem> <IndicatorItem id="2a7e7340-2701-4635-90ae-335593798d87" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">8192</Content> <Comment>b36168ea438520875c621f5603db003f</Comment> </IndicatorItem> <IndicatorItem id="f9da710e-16aa-4155-9649-7138eb6f706d" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">9216</Content> <Comment>0fed203f3df6a82c9124f24aa3d9d75d 0fed203f3df6a82c9124f24aa3d9d75d 225e33508861984dd2a774760bfdfc52 99882234b814b860a22b4d441b92fd82</Comment> </IndicatorItem> <IndicatorItem id="5efbf792-7229-451f-bef1-3580de79d99f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">13312</Content> <Comment>2479a9a50308cb72fcd5e4e18ef06468 28dbd86bd86eb9153ecb20d883c41ae0 9548e5ed4fbacd0ed4a9d6a27f5d8fec bfcae0468de0c7bcf92e9989589082f1 c425b8782075da33cba5aae5ad612582 fade2270a6c7cb47893ac600a9a0509f</Comment> </IndicatorItem> <IndicatorItem id="bff734c9-fc24-4a98-bfa9-97aba5a23ab7" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">14336</Content> <Comment>0fed203f3df6a82c9124f24aa3d9d75d cfc6112254a69030521d0d2bba152d4d</Comment> </IndicatorItem> <IndicatorItem id="11613394-2a83-4e3e-a371-1a5209c2545a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">15360</Content> <Comment>4cd3bed14aaffcf61f4d2948484c4c90</Comment> </IndicatorItem> <IndicatorItem id="8e305cdc-46cb-49af-9072-e1687ecd6535" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">16896</Content> <Comment>335df3ffb8cee61c20ab91a401204df4 69dc1e1ee273e531e91c60eb86396cc8</Comment> </IndicatorItem> <IndicatorItem id="6ddc8685-a57c-47ee-88a9-9d6caf2ef3a9" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">17408</Content> <Comment>6510cee34da30c7ef5e5e39980402257 75372eb37415140fa5464f1ebb8a0e74 f3b54c188185ee0921848b3a6ad4751e</Comment> </IndicatorItem> <IndicatorItem id="e272e639-d854-48b1-85b4-729d1f3412e1" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">24064</Content> <Comment>4cabfaef26fd8e5aec01d0c4b90a32f3 cfce9478c880934b3548c3022a956e14 ea8b6c2c083d6b7b2b6ebc015b0488ca fefa3638e4d6f2e00b5194ae3fa0c931</Comment> </IndicatorItem> <IndicatorItem id="cc9bb9f9-a23b-4515-8335-21cf84d3144e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">38400</Content> <Comment>5613e6d7111b327307c02bec1701ac3f 580a4c05982accc678a72c366b45815d 97c83d85bd76a38b13cea960a1a97f70</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="5ed4a9a9-45dc-439c-8f4d-51a24d646a97"> <IndicatorItem id="f5fc9e99-316c-4ae8-8f3e-84772f78898f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-07-13T07:46:05Z</Content> <Comment>024fd07dbdacc7da227bede3449c2b6a 8c57b287a1d2140ccedd6cd097d62ded adb2fc194b960e694aa450161f1df6fc</Comment> </IndicatorItem> <IndicatorItem id="b829355c-8ac2-4229-8880-922a66ffa047" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-03-31T15:46:00Z</Content> <Comment>0df42947e167cd006b176d305c08d57e</Comment> </IndicatorItem> <IndicatorItem id="7a99942e-d13d-47ef-8ffc-61f123f8a5dc" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-05-17T01:04:15Z</Content> <Comment>0fed203f3df6a82c9124f24aa3d9d75d</Comment> </IndicatorItem> <IndicatorItem id="dd7dbf24-1aa2-4191-81eb-a0021aa207d7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-15T09:43:38Z</Content> <Comment>0fed203f3df6a82c9124f24aa3d9d75d</Comment> </IndicatorItem> <IndicatorItem id="87dc59c7-5a89-4076-acc5-efe198b49386" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-08-27T08:41:19Z</Content> <Comment>225e33508861984dd2a774760bfdfc52 99882234b814b860a22b4d441b92fd82</Comment> </IndicatorItem> <IndicatorItem id="7dd519d0-093f-407f-b464-ac494065beed" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-03-12T12:39:30Z</Content> <Comment>2479a9a50308cb72fcd5e4e18ef06468 28dbd86bd86eb9153ecb20d883c41ae0 9548e5ed4fbacd0ed4a9d6a27f5d8fec bfcae0468de0c7bcf92e9989589082f1 c425b8782075da33cba5aae5ad612582 fade2270a6c7cb47893ac600a9a0509f</Comment> </IndicatorItem> <IndicatorItem id="1f2ecedb-7b3b-4f93-b15a-34019332a313" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-06-16T01:00:08Z</Content> <Comment>255cd53f9bdb6f3755e621885cb34382 abff707cb54a6e5a9fcbb3fef74dbddc b7dba6184f07b1e824362a2307d91ae2 d60ee4a39667a733c075bb7f7b36285a 3d0c1dc5ac55f6d0e6b7fabfeb5158f5 a360b16c19ab9dea6763f777257c5f38</Comment> </IndicatorItem> <IndicatorItem id="d19ffaa5-d99d-45e7-85cf-f4faf0608147" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-03T03:13:08Z</Content> <Comment>335df3ffb8cee61c20ab91a401204df4</Comment> </IndicatorItem> <IndicatorItem id="165af123-f86a-46fd-97d9-52291b7d5017" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-12-14T01:09:51Z</Content> <Comment>456d298649a7ec31a7250ed9312ebbaf</Comment> </IndicatorItem> <IndicatorItem id="d8dc58d8-bf6d-4001-bd27-075dafdc0459" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-09-28T01:00:25Z</Content> <Comment>4cabfaef26fd8e5aec01d0c4b90a32f3 cfce9478c880934b3548c3022a956e14 ea8b6c2c083d6b7b2b6ebc015b0488ca</Comment> </IndicatorItem> <IndicatorItem id="24a7c3af-87f9-4924-8e72-6a42a3b805fa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-02-24T09:37:56Z</Content> <Comment>4cd3bed14aaffcf61f4d2948484c4c90</Comment> </IndicatorItem> <IndicatorItem id="93015983-823d-43d8-85a7-fb8fa98cf7aa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-16T03:27:48Z</Content> <Comment>5613e6d7111b327307c02bec1701ac3f 580a4c05982accc678a72c366b45815d</Comment> </IndicatorItem> <IndicatorItem id="140916f8-ff79-4551-8961-8e859cbebd84" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-08-11T00:24:48Z</Content> <Comment>6461ea41f179e660c40ed65aee1a4a2d da5ff7927d608d7ccc7495939d457bd3</Comment> </IndicatorItem> <IndicatorItem id="c828af97-234b-4fd9-9798-904962074ee4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-20T06:57:31Z</Content> <Comment>6510cee34da30c7ef5e5e39980402257 75372eb37415140fa5464f1ebb8a0e74 f3b54c188185ee0921848b3a6ad4751e</Comment> </IndicatorItem> <IndicatorItem id="32ee351e-454d-418c-98e8-9b7d8ef8127c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-22T12:38:38Z</Content> <Comment>69dc1e1ee273e531e91c60eb86396cc8 97c83d85bd76a38b13cea960a1a97f70</Comment> </IndicatorItem> <IndicatorItem id="f963988d-2e86-4acb-a573-a4e762417934" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-09-18T00:05:50Z</Content> <Comment>b36168ea438520875c621f5603db003f</Comment> </IndicatorItem> <IndicatorItem id="cbd3d3bd-d8db-444c-9269-7d6b3251ed0b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-09-25T08:39:16Z</Content> <Comment>cfc6112254a69030521d0d2bba152d4d</Comment> </IndicatorItem> <IndicatorItem id="a0383e59-8359-47bf-94ab-186146bf6607" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-10-11T08:17:47Z</Content> <Comment>fefa3638e4d6f2e00b5194ae3fa0c931</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="1fe25ac0-81b5-4b0e-861f-0193b116f13b"> <IndicatorItem id="261f110d-fa04-4ed1-95e8-8c90ff010652" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ersv.dll</Content> <Comment>6510cee34da30c7ef5e5e39980402257 75372eb37415140fa5464f1ebb8a0e74</Comment> </IndicatorItem> <IndicatorItem id="2ed2480e-1ba5-4fcb-a039-c0ded1145a0d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">esrv.dll</Content> <Comment>f3b54c188185ee0921848b3a6ad4751e</Comment> </IndicatorItem> <IndicatorItem id="0d2e918e-637b-4abe-ab70-a8e9203bf4fa" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">eventsystem.dll</Content> <Comment>024fd07dbdacc7da227bede3449c2b6a 2479a9a50308cb72fcd5e4e18ef06468 8c57b287a1d2140ccedd6cd097d62ded adb2fc194b960e694aa450161f1df6fc</Comment> </IndicatorItem> <IndicatorItem id="a0b7a583-c221-4133-8b05-bdf11fe9c3fd" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">eventsystem.exe</Content> <Comment>99882234b814b860a22b4d441b92fd82</Comment> </IndicatorItem> <IndicatorItem id="cbcf3f56-bf7a-4f53-8ca3-3e7a8d39b3e1" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">iexplore.exe</Content> <Comment>225e33508861984dd2a774760bfdfc52 5613e6d7111b327307c02bec1701ac3f 580a4c05982accc678a72c366b45815d b36168ea438520875c621f5603db003f</Comment> </IndicatorItem> <IndicatorItem id="68b40394-3e93-4d71-9d7e-e893d61f9a1e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ipripp.dll</Content> <Comment>4cabfaef26fd8e5aec01d0c4b90a32f3</Comment> </IndicatorItem> <IndicatorItem id="de395497-eabf-4d17-bbc4-344546d92bf4" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">lao.exe</Content> <Comment>cfc6112254a69030521d0d2bba152d4d</Comment> </IndicatorItem> <IndicatorItem id="412dc589-3186-41a7-acbb-fe76f1af2e84" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">microsoft.dll</Content> <Comment>0df42947e167cd006b176d305c08d57e</Comment> </IndicatorItem> <IndicatorItem id="6ba4376b-78a3-4f87-96fd-9a5adda26d63" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">n.dll</Content> <Comment>d60ee4a39667a733c075bb7f7b36285a</Comment> </IndicatorItem> <IndicatorItem id="96c5afb9-5e53-4cf6-a9b3-7a75bd7ff859" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">nws.dll</Content> <Comment>fefa3638e4d6f2e00b5194ae3fa0c931</Comment> </IndicatorItem> <IndicatorItem id="a2b9fb4d-e28f-43b7-93fc-ddc855e8399f" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">nwsapagent.dll</Content> <Comment>0fed203f3df6a82c9124f24aa3d9d75d 255cd53f9bdb6f3755e621885cb34382 28dbd86bd86eb9153ecb20d883c41ae0 3d0c1dc5ac55f6d0e6b7fabfeb5158f5 9548e5ed4fbacd0ed4a9d6a27f5d8fec a360b16c19ab9dea6763f777257c5f38 abff707cb54a6e5a9fcbb3fef74dbddc b7dba6184f07b1e824362a2307d91ae2 bfcae0468de0c7bcf92e9989589082f1 c425b8782075da33cba5aae5ad612582 cfce9478c880934b3548c3022a956e14 ea8b6c2c083d6b7b2b6ebc015b0488ca fade2270a6c7cb47893ac600a9a0509f</Comment> </IndicatorItem> <IndicatorItem id="a7f057f3-97a1-4c7a-8168-28102a68bf9c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> <Comment>0fed203f3df6a82c9124f24aa3d9d75d 335df3ffb8cee61c20ab91a401204df4 6461ea41f179e660c40ed65aee1a4a2d 69dc1e1ee273e531e91c60eb86396cc8 97c83d85bd76a38b13cea960a1a97f70 da5ff7927d608d7ccc7495939d457bd3</Comment> </IndicatorItem> <IndicatorItem id="1241a277-5fff-4d2e-8805-e71ea2ab1a4f" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">vediosrv.dll</Content> <Comment>4cd3bed14aaffcf61f4d2948484c4c90</Comment> </IndicatorItem> <IndicatorItem id="d0079169-d149-404e-84a9-a02387d18b37" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wauserv.dll</Content> <Comment>456d298649a7ec31a7250ed9312ebbaf</Comment> </IndicatorItem> <IndicatorItem id="bca5a60c-0b21-42f4-94ba-213bc4bd0edc" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="8c2dff0f-f02a-4caf-9c62-4f5bade91842"> <IndicatorItem id="1e89cfa2-ffe7-46cc-9b04-abf39ef5adfa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">InstallService</Content> </IndicatorItem> <IndicatorItem id="f99ef512-181c-4b98-8bbd-7331b16951e8" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">ServiceMain</Content> </IndicatorItem> <IndicatorItem id="b657df39-9a41-4886-8f41-4bf19c8e1aaa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">UninstallService</Content> </IndicatorItem> <IndicatorItem id="ea45b183-0aed-4345-b536-d87a43145beb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">installA</Content> </IndicatorItem> <IndicatorItem id="8047965d-a942-4e6d-b51e-33dffb2e0bcd" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">uninstallA</Content> </IndicatorItem> <IndicatorItem id="55ab17de-e022-4a7d-96cd-98b1e6c2aa49" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">5</Content> <Comment>This File Export set is found in about 50% of the y21k family of malware</Comment> </IndicatorItem> <Indicator operator="OR" id="2d1afc0b-f072-4c12-9127-3cccad1400f8"> <IndicatorItem id="d6f80663-1fa7-4e9f-aa16-f02dbdc363df" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">Nwsapagent.dll</Content> <Comment>description of DLL used in about half of samples seen</Comment> </IndicatorItem> <IndicatorItem id="bdbac1c0-2d8b-4714-8757-2e3f82cd17c4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">EventSystem.dll</Content> <Comment>description of DLL used in about half of samples seen</Comment> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-034a708a-2bb0-45ad-85c5-7505d90ce2a5"> <indicator:Title>HACKSFASE (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> This family of malware is a backdoor that provides reverse shell, process creation, system statistics collection, process enumeration, and process termination capabilities. This family is designed to be a service DLL and does not contain an installation mechanism. It usually communicates over port 443. Some variants use their own encryption, others use SSL. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-c377cc91-f48d-4d1a-99bb-656cf3b706d7"/> <cybox:Observable idref="mandiant:observable-15195f31-be5e-4e16-9d30-6f3db6107b28"/> <cybox:Observable idref="mandiant:observable-5da94f8b-0a61-4229-9649-031bcc12e942"/> <cybox:Observable idref="mandiant:observable-aae5b567-4ab7-4fb2-98c8-cf684b2ad9aa"/> <cybox:Observable idref="mandiant:observable-27b93d21-246e-4a67-b099-e105dec428c3"/> <cybox:Observable idref="mandiant:observable-c80c0b77-8f85-444b-8b25-91cb89daaf23"/> <cybox:Observable idref="mandiant:observable-bba92888-f287-481d-afa9-f41c1f2324d1"/> <cybox:Observable idref="mandiant:observable-95724da5-c00f-4aa4-98e2-811d28dafe35"/> <cybox:Observable idref="mandiant:observable-aaad91e6-b2d7-46d8-8e26-afb74292e14b"/> <cybox:Observable idref="mandiant:observable-75bcbb10-444e-4af6-9ded-45136b5b2199"/> <cybox:Observable idref="mandiant:observable-ab0ff0cb-b591-4dbc-852d-0b6c023738a6"/> <cybox:Observable idref="mandiant:observable-9dbcdf25-be33-4433-9451-cd1594895c2b"/> <cybox:Observable idref="mandiant:observable-17e0c2b6-f87c-4ec9-9535-5e4e084a1659"/> <cybox:Observable idref="mandiant:observable-60ec0c3f-9729-4a8a-b34d-732951737b77"/> <cybox:Observable idref="mandiant:observable-43633d51-6eea-47f8-bb88-2b612cc8bc1e"/> <cybox:Observable idref="mandiant:observable-f1d15860-1f3d-4617-8f48-3be336bfa1f6"/> <cybox:Observable idref="mandiant:observable-4fd558fc-f3a9-45d0-affe-b0d751327ce8"/> <cybox:Observable idref="mandiant:observable-5148c205-0c23-4598-b620-0693e63a4c41"/> <cybox:Observable idref="mandiant:observable-8fd1c9ac-5b0d-4b4a-a421-072021d1b4b2"/> <cybox:Observable idref="mandiant:observable-ceb7a04d-314f-4436-8b11-9bdfe200e22f"/> <cybox:Observable idref="mandiant:observable-5ee5573c-3833-45b6-a5a5-d52846fd6eaf"/> <cybox:Observable idref="mandiant:observable-2a80e6d7-fa63-446b-82d6-9c45c250326c"/> <cybox:Observable id="mandiant:observable-05522dcd-36b9-484a-8b03-91af1853bbfd"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-08cf27b3-d5ce-47e0-a43d-1537497b8253"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-d4ec4576-ff12-4456-8ccc-248b18672a4e"/> <cybox:Observable idref="mandiant:observable-cdc827e8-5a3a-42b6-bbad-e8e4489f3616"/> <cybox:Observable idref="mandiant:observable-46890225-6097-4468-9620-c5572c663a22"/> <cybox:Observable idref="mandiant:observable-b2af7f69-e2b7-479c-a8e9-41f755058158"/> <cybox:Observable idref="mandiant:observable-1fa8eb07-242a-468d-b792-733bdf12a6f3"/> <cybox:Observable idref="mandiant:observable-4aa84fae-cfed-490f-8325-29ce00097afd"/> <cybox:Observable idref="mandiant:observable-a51199a5-b5ac-4b88-878f-75df9dfe7dc4"/> <cybox:Observable idref="mandiant:observable-617f3e64-5fdd-4ae0-bc06-cbd12ce8f7f0"/> <cybox:Observable idref="mandiant:observable-b0f37fe1-4464-4e35-b378-a9ce2965f672"/> <cybox:Observable idref="mandiant:observable-091bdb12-ebc2-4e1a-a8c4-c548aba4a650"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-374bea42-06a9-49dd-beb5-8122bccb7186"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-ce6169d0-3325-46a9-9c98-11cf6f780f5e"/> <cybox:Observable idref="mandiant:observable-90fae1d7-2cc6-4f4e-b471-2b9dea012c1a"/> <cybox:Observable idref="mandiant:observable-7f004670-d978-4a24-8431-675d2290bdc2"/> <cybox:Observable idref="mandiant:observable-c0f7ed6a-c672-4f95-a00f-71f795282657"/> <cybox:Observable idref="mandiant:observable-af13e5f2-8cf3-45bb-bc87-21d778b4f26a"/> <cybox:Observable idref="mandiant:observable-6350d73a-0cf9-4e3c-a704-5eee07be7256"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-00e49679-afb2-4ea8-8130-3eb2055beefd"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-e4dab820-2e18-4a8b-b8a0-5b1248582917"/> <cybox:Observable idref="mandiant:observable-c1b8c1c7-c06d-4b63-9cd5-d2e7aa87fb21"/> <cybox:Observable idref="mandiant:observable-22057da1-b30a-4599-b4bb-38cf23fbb901"/> <cybox:Observable idref="mandiant:observable-2e42b550-bc10-49d6-a825-f874c6e14c04"/> <cybox:Observable idref="mandiant:observable-72a5ab60-1f47-424d-813b-ae65a758e225"/> <cybox:Observable idref="mandiant:observable-bd8f33e8-6a47-4dcf-896c-5225c02a8bd9"/> <cybox:Observable idref="mandiant:observable-b9b87ccc-5aa2-4554-824d-787a850b7dac"/> <cybox:Observable idref="mandiant:observable-a0bfe4f6-d8df-4d11-876b-08ef669b4553"/> <cybox:Observable idref="mandiant:observable-aa1b340c-5e61-4f8f-9f21-8e87e14fdaaa"/> <cybox:Observable idref="mandiant:observable-5227b863-03a0-40f4-9fd2-8004d33de622"/> <cybox:Observable idref="mandiant:observable-b206336f-db82-4f51-a590-cf497a53eb6d"/> <cybox:Observable idref="mandiant:observable-318ccd10-f142-4ab1-a8b5-93f87f1664fd"/> <cybox:Observable idref="mandiant:observable-67cb8837-c241-494f-a7c4-f10bac886793"/> <cybox:Observable idref="mandiant:observable-b78e17ba-ebb5-448d-8e9e-c120e64f337a"/> <cybox:Observable idref="mandiant:observable-e002b6cf-c28e-402a-b5d0-d4c3e5e69e66"/> <cybox:Observable idref="mandiant:observable-4ac95aef-22ec-493e-a823-83507bc603e1"/> <cybox:Observable idref="mandiant:observable-a8d538dd-06c7-4a41-8b60-cad319d1ca2b"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-8bfa6e91-8f6a-4c87-b018-a5638f44adb8"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-5d888420-4bb5-4529-a187-d3413ffb84a4"/> <cybox:Observable idref="mandiant:observable-7b9f4be6-3c98-4e31-bcc8-f7ebaaa7d949"/> <cybox:Observable id="mandiant:observable-5c991aec-3e5f-469a-acd3-898360d7cc47"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-862fa956-62d3-4aaa-a150-b40a1b3cdc01"/> <cybox:Observable idref="mandiant:observable-458b59bf-74af-44cc-9b41-e197cc79bd8a"/> <cybox:Observable idref="mandiant:observable-d02c2fc9-6726-4f1e-97e6-20f07fb0bd03"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-5a2b9a9f-1577-48e1-96db-a2e48cc3e58d"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-d8b9f7dc-1a88-413e-9968-5091c69c1178"/> <cybox:Observable idref="mandiant:observable-138d69cb-271e-4ba6-b059-352fbdf7efaa"/> <cybox:Observable idref="mandiant:observable-9f4be87c-6055-4c18-8579-9bd9f9d051c4"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="7c739d52-c669-4d51-ac15-8ae66305e232" last-modified="2013-02-10T13:00:00"> <short_description>HACKSFASE (FAMILY)</short_description> <description>This family of malware is a backdoor that provides reverse shell, process creation, system statistics collection, process enumeration, and process termination capabilities. This family is designed to be a service DLL and does not contain an installation mechanism. It usually communicates over port 443. Some variants use their own encryption, others use SSL.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">HACKSFASE</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="034a708a-2bb0-45ad-85c5-7505d90ce2a5"> <IndicatorItem id="c377cc91-f48d-4d1a-99bb-656cf3b706d7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1a0c7e61bcc50d57b7bcf9d9af691de5</Content> </IndicatorItem> <IndicatorItem id="15195f31-be5e-4e16-9d30-6f3db6107b28" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a7117612ea6b6fa3307943f5ed21fbb4</Content> </IndicatorItem> <IndicatorItem id="5da94f8b-0a61-4229-9649-031bcc12e942" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">62ea10608f0d54cd284e8d7be32f206e</Content> </IndicatorItem> <IndicatorItem id="aae5b567-4ab7-4fb2-98c8-cf684b2ad9aa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4749f6336eb86b5fa7029661f88ded20</Content> </IndicatorItem> <IndicatorItem id="27b93d21-246e-4a67-b099-e105dec428c3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">be74bf5afd4ba64cc8ce237307e9254d</Content> </IndicatorItem> <IndicatorItem id="c80c0b77-8f85-444b-8b25-91cb89daaf23" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2b379d5346ffd386c28038630a9b0292</Content> </IndicatorItem> <IndicatorItem id="bba92888-f287-481d-afa9-f41c1f2324d1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0d0240672a314a7547d328f824642da8</Content> </IndicatorItem> <IndicatorItem id="95724da5-c00f-4aa4-98e2-811d28dafe35" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f1eea61e49a3f86e95836d1c9f67e074</Content> </IndicatorItem> <IndicatorItem id="aaad91e6-b2d7-46d8-8e26-afb74292e14b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5790c7c09735cf1ccf10625c7cd87f5e</Content> </IndicatorItem> <IndicatorItem id="75bcbb10-444e-4af6-9ded-45136b5b2199" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">656baf38fa5ee776e2576cead664d004</Content> </IndicatorItem> <IndicatorItem id="ab0ff0cb-b591-4dbc-852d-0b6c023738a6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bcbdef1678049378be04719ed29078d2</Content> </IndicatorItem> <IndicatorItem id="9dbcdf25-be33-4433-9451-cd1594895c2b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e9df2f69ed3d9c895ad9d399eaff1bc8</Content> </IndicatorItem> <IndicatorItem id="17e0c2b6-f87c-4ec9-9535-5e4e084a1659" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0469a42d71b4a55118b9579c8c772bb6</Content> </IndicatorItem> <IndicatorItem id="60ec0c3f-9729-4a8a-b34d-732951737b77" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9e860622fee66074dfe81dcfcc40c4e2</Content> </IndicatorItem> <IndicatorItem id="43633d51-6eea-47f8-bb88-2b612cc8bc1e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9ecf9d5d8872fe55ab120265c3749ffc</Content> </IndicatorItem> <IndicatorItem id="f1d15860-1f3d-4617-8f48-3be336bfa1f6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6c5c5e4049265fffc87973f3e4978b26</Content> </IndicatorItem> <IndicatorItem id="4fd558fc-f3a9-45d0-affe-b0d751327ce8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d4c1bfc5cd3e33643a562696d5d29bf2</Content> </IndicatorItem> <IndicatorItem id="5148c205-0c23-4598-b620-0693e63a4c41" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">11d350127ff1e9ecd665c34326475584</Content> </IndicatorItem> <IndicatorItem id="8fd1c9ac-5b0d-4b4a-a421-072021d1b4b2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d8fdd9cfca25315635378dd2564094ca</Content> </IndicatorItem> <IndicatorItem id="ceb7a04d-314f-4436-8b11-9bdfe200e22f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">082cc969b3eb6786e3e951b450b8de0d</Content> </IndicatorItem> <IndicatorItem id="5ee5573c-3833-45b6-a5a5-d52846fd6eaf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0cf8259502d178a099ab2852e2bddbe1</Content> </IndicatorItem> <IndicatorItem id="2a80e6d7-fa63-446b-82d6-9c45c250326c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">17199ddac616938f383a0339f416c890</Content> </IndicatorItem> <IndicatorItem id="08cc4159-4d6f-44c8-8c58-5245f32fe88b" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">!@#%$^#@!</Content> <Comment>encoding string found in most variants of this malware family</Comment> </IndicatorItem> <Indicator operator="AND" id="05522dcd-36b9-484a-8b03-91af1853bbfd"> <Indicator operator="OR" id="08cf27b3-d5ce-47e0-a43d-1537497b8253"> <IndicatorItem id="d4ec4576-ff12-4456-8ccc-248b18672a4e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">sap.dll</Content> </IndicatorItem> <IndicatorItem id="cdc827e8-5a3a-42b6-bbad-e8e4489f3616" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">nwsap.dll</Content> </IndicatorItem> <IndicatorItem id="46890225-6097-4468-9620-c5572c663a22" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">nwcwks.dll</Content> </IndicatorItem> <IndicatorItem id="b2af7f69-e2b7-479c-a8e9-41f755058158" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">iass.dll</Content> </IndicatorItem> <IndicatorItem id="1fa8eb07-242a-468d-b792-733bdf12a6f3" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">nwwkc.dll</Content> </IndicatorItem> <IndicatorItem id="4aa84fae-cfed-490f-8325-29ce00097afd" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">irmon.dll</Content> </IndicatorItem> <IndicatorItem id="a51199a5-b5ac-4b88-878f-75df9dfe7dc4" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">nwwkc.dll</Content> </IndicatorItem> <IndicatorItem id="617f3e64-5fdd-4ae0-bc06-cbd12ce8f7f0" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">iassvc.dll</Content> </IndicatorItem> <IndicatorItem id="b0f37fe1-4464-4e35-b378-a9ce2965f672" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 91% samples.</Comment> </IndicatorItem> <IndicatorItem id="091bdb12-ebc2-4e1a-a8c4-c548aba4a650" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 91% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="374bea42-06a9-49dd-beb5-8122bccb7186"> <IndicatorItem id="ce6169d0-3325-46a9-9c98-11cf6f780f5e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">173124</Content> </IndicatorItem> <IndicatorItem id="90fae1d7-2cc6-4f4e-b471-2b9dea012c1a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">217088</Content> </IndicatorItem> <IndicatorItem id="7f004670-d978-4a24-8431-675d2290bdc2" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">217516</Content> </IndicatorItem> <IndicatorItem id="c0f7ed6a-c672-4f95-a00f-71f795282657" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">37092</Content> </IndicatorItem> <IndicatorItem id="af13e5f2-8cf3-45bb-bc87-21d778b4f26a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">41188</Content> </IndicatorItem> <IndicatorItem id="6350d73a-0cf9-4e3c-a704-5eee07be7256" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">42052</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="00e49679-afb2-4ea8-8130-3eb2055beefd"> <IndicatorItem id="e4dab820-2e18-4a8b-b8a0-5b1248582917" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-11-10T06:36:06Z</Content> </IndicatorItem> <IndicatorItem id="c1b8c1c7-c06d-4b63-9cd5-d2e7aa87fb21" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-11-10T08:29:48Z</Content> </IndicatorItem> <IndicatorItem id="22057da1-b30a-4599-b4bb-38cf23fbb901" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-02-01T02:27:57Z</Content> </IndicatorItem> <IndicatorItem id="2e42b550-bc10-49d6-a825-f874c6e14c04" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-03-13T07:09:49Z</Content> </IndicatorItem> <IndicatorItem id="72a5ab60-1f47-424d-813b-ae65a758e225" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-08T13:30:46Z</Content> </IndicatorItem> <IndicatorItem id="bd8f33e8-6a47-4dcf-896c-5225c02a8bd9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-08-28T02:17:30Z</Content> </IndicatorItem> <IndicatorItem id="b9b87ccc-5aa2-4554-824d-787a850b7dac" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-02-25T07:48:23Z</Content> </IndicatorItem> <IndicatorItem id="a0bfe4f6-d8df-4d11-876b-08ef669b4553" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-09-09T03:19:45Z</Content> </IndicatorItem> <IndicatorItem id="aa1b340c-5e61-4f8f-9f21-8e87e14fdaaa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-10T01:41:49Z</Content> </IndicatorItem> <IndicatorItem id="5227b863-03a0-40f4-9fd2-8004d33de622" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-12-13T09:25:02Z</Content> </IndicatorItem> <IndicatorItem id="b206336f-db82-4f51-a590-cf497a53eb6d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-12-28T02:34:43Z</Content> </IndicatorItem> <IndicatorItem id="318ccd10-f142-4ab1-a8b5-93f87f1664fd" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-01-10T06:58:27Z</Content> </IndicatorItem> <IndicatorItem id="67cb8837-c241-494f-a7c4-f10bac886793" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-29T08:07:39Z</Content> </IndicatorItem> <IndicatorItem id="b78e17ba-ebb5-448d-8e9e-c120e64f337a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-04-08T02:27:33Z</Content> </IndicatorItem> <IndicatorItem id="e002b6cf-c28e-402a-b5d0-d4c3e5e69e66" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-04-20T08:04:20Z</Content> </IndicatorItem> <IndicatorItem id="4ac95aef-22ec-493e-a823-83507bc603e1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-27T07:47:01Z</Content> </IndicatorItem> <IndicatorItem id="a8d538dd-06c7-4a41-8b60-cad319d1ca2b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-02-28T15:35:51Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="8bfa6e91-8f6a-4c87-b018-a5638f44adb8"> <IndicatorItem id="5d888420-4bb5-4529-a187-d3413ffb84a4" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">ServiceMain</Content> <Comment>This section is designed to detect a version packed w/ VMProtect</Comment> </IndicatorItem> <IndicatorItem id="7b9f4be6-3c98-4e31-bcc8-f7ebaaa7d949" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">1</Content> <Comment>This section is designed to detect a version packed w/ VMProtect</Comment> </IndicatorItem> <Indicator operator="OR" id="5c991aec-3e5f-469a-acd3-898360d7cc47"> <IndicatorItem id="862fa956-62d3-4aaa-a150-b40a1b3cdc01" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Sections/Section/Name" type="mir"/> <Content type="string">.vmp0</Content> <Comment>This section is designed to detect a version packed w/ VMProtect</Comment> </IndicatorItem> <IndicatorItem id="458b59bf-74af-44cc-9b41-e197cc79bd8a" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Sections/Section/Name" type="mir"/> <Content type="string">.vmp1</Content> <Comment>This section is designed to detect a version packed w/ VMProtect</Comment> </IndicatorItem> <IndicatorItem id="d02c2fc9-6726-4f1e-97e6-20f07fb0bd03" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Sections/Section/Name" type="mir"/> <Content type="string">.vmp2</Content> <Comment>This section is designed to detect a version packed w/ VMProtect</Comment> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="5a2b9a9f-1577-48e1-96db-a2e48cc3e58d"> <IndicatorItem id="d8b9f7dc-1a88-413e-9968-5091c69c1178" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">svcdll.dll</Content> <Comment>recurring export name of malicious dll</Comment> </IndicatorItem> <IndicatorItem id="138d69cb-271e-4ba6-b059-352fbdf7efaa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">ServiceMain</Content> <Comment>This block detects consistent characteristics of the DLL Exports of this family</Comment> </IndicatorItem> <IndicatorItem id="9f4be87c-6055-4c18-8579-9bd9f9d051c4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">1</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-edc41062-7e8f-4603-9e62-5f4ec537e9af"> <indicator:Title>SWORD (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> This family of malware provides a backdoor over the network to the attackers. It is configured to connect to a single host and offers file download over HTTP, program execution, and arbitrary execution of commands through a cmd.exe instance. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-aaff5b41-1bc2-44bd-a983-e7e854200486"/> <cybox:Observable idref="mandiant:observable-460a7ef7-bac5-4457-8dc6-ada51fd21423"/> <cybox:Observable idref="mandiant:observable-e16f0a1c-d951-4e28-9f5b-b82769c8e849"/> <cybox:Observable idref="mandiant:observable-f08b5df1-8bf5-410a-b0e4-e1ddb59ba5d0"/> <cybox:Observable idref="mandiant:observable-df7d4c5f-4284-490a-a305-184b0bc6c36e"/> <cybox:Observable id="mandiant:observable-d2bfb61a-eb29-4b6a-9c35-6c3fd589256d"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-8718bd9c-abab-4fb7-97ae-dedd6a05e1a1"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-f1a53a6b-b07a-42c0-a536-52fc85ea504e"/> <cybox:Observable idref="mandiant:observable-68314bc8-d123-474b-b099-307be8444ebd"/> <cybox:Observable idref="mandiant:observable-45be3930-807e-4944-81cc-056f84180d17"/> <cybox:Observable idref="mandiant:observable-47b65690-b881-434a-aa51-eaef07b2d1d3"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-a64c22d9-bf2a-4212-8a69-165baca4b7e0"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-55ee87cf-467c-45d9-8193-e06417c649da"/> <cybox:Observable idref="mandiant:observable-e4c52af8-1b7a-4445-85f7-27be4bacf0c4"/> <cybox:Observable idref="mandiant:observable-73a5f71c-d892-4314-a09a-f3825878f366"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-512cd592-e79d-4225-ac22-371cd9b10a63"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-4096f69a-e7df-42dd-b074-5a6d8d3bb7d8"/> <cybox:Observable idref="mandiant:observable-fc68080d-e355-4e8a-a364-0fa53212491d"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="7d2eaadf-a5ff-4199-996e-af6258874dad" last-modified="2013-02-10T13:00:00"> <short_description>SWORD (FAMILY)</short_description> <description>This family of malware provides a backdoor over the network to the attackers. It is configured to connect to a single host and offers file download over HTTP, program execution, and arbitrary execution of commands through a cmd.exe instance.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">SWORD</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="edc41062-7e8f-4603-9e62-5f4ec537e9af"> <IndicatorItem id="aaff5b41-1bc2-44bd-a983-e7e854200486" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bea12b37cc1c301d49875595e85b22c7</Content> </IndicatorItem> <IndicatorItem id="460a7ef7-bac5-4457-8dc6-ada51fd21423" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">38c4cc6cdb6d6af2ab7f4308004b78a3</Content> </IndicatorItem> <IndicatorItem id="e16f0a1c-d951-4e28-9f5b-b82769c8e849" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">052f5da1734464a985dcd669bff62f93</Content> </IndicatorItem> <IndicatorItem id="f08b5df1-8bf5-410a-b0e4-e1ddb59ba5d0" condition="contains"> <Context document="ProcessItem" search="ProcessItem/path" type="mir"/> <Content type="string">lssavp.exe</Content> <Comment>running process created by this malware</Comment> </IndicatorItem> <IndicatorItem id="df7d4c5f-4284-490a-a305-184b0bc6c36e" condition="contains"> <Context document="ProcessItem" search="ProcessItem/path" type="mir"/> <Content type="string">suicide.exe</Content> <Comment>running process created by this malware</Comment> </IndicatorItem> <IndicatorItem id="d159cc08-73ca-4bbf-9a51-7b8a55197c68" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">thequickbrownfxjmpsvalzydg</Content> <Comment>encoding string found in this family of malware</Comment> </IndicatorItem> <IndicatorItem id="cfe615b2-b7cf-4ea6-9fd0-2e6da2fb1a98" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@</Content> <Comment>encoding string found in this family of malware</Comment> </IndicatorItem> <Indicator operator="AND" id="d2bfb61a-eb29-4b6a-9c35-6c3fd589256d"> <Indicator operator="OR" id="8718bd9c-abab-4fb7-97ae-dedd6a05e1a1"> <IndicatorItem id="f1a53a6b-b07a-42c0-a536-52fc85ea504e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">suicide.exe</Content> </IndicatorItem> <IndicatorItem id="68314bc8-d123-474b-b099-307be8444ebd" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Lssavp.exe</Content> </IndicatorItem> <IndicatorItem id="45be3930-807e-4944-81cc-056f84180d17" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 67% samples.</Comment> </IndicatorItem> <IndicatorItem id="47b65690-b881-434a-aa51-eaef07b2d1d3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="a64c22d9-bf2a-4212-8a69-165baca4b7e0"> <IndicatorItem id="55ee87cf-467c-45d9-8193-e06417c649da" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">45056</Content> </IndicatorItem> <IndicatorItem id="e4c52af8-1b7a-4445-85f7-27be4bacf0c4" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">45060</Content> </IndicatorItem> <IndicatorItem id="73a5f71c-d892-4314-a09a-f3825878f366" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">45065</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="512cd592-e79d-4225-ac22-371cd9b10a63"> <IndicatorItem id="4096f69a-e7df-42dd-b074-5a6d8d3bb7d8" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-03-24T13:16:00Z</Content> </IndicatorItem> <IndicatorItem id="fc68080d-e355-4e8a-a364-0fa53212491d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-04-16T09:35:24Z</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-f96c7900-0cf5-4199-b314-860a1cdc008e"> <indicator:Title>WEBC2-RAVE (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware will set itself up as a service and connect out to a hardcoded web page and read a modified base64 string from this webpage. The later versions of this malware supports three commands (earlier ones are just downloaders or reverse shells). The first commands will sleep the malware for N number of hours. The second command will download a binary from the encoded HTML comment and execute it on the infected host. The third will spawn an encoded reverse shell to an attacker specified location and port. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-c1add49c-34fa-45bc-8cba-3bb3b6b94d36"/> <cybox:Observable idref="mandiant:observable-4de1e7fa-5a91-48c3-83bb-3ad3df36f9a8"/> <cybox:Observable idref="mandiant:observable-16d2c8e0-8743-47d9-b0ff-11334904bc98"/> <cybox:Observable idref="mandiant:observable-48884b2b-ad30-4db8-8f3c-581f22d62b90"/> <cybox:Observable idref="mandiant:observable-8232c084-291c-4708-8621-630359641277"/> <cybox:Observable idref="mandiant:observable-182b86fb-ffec-4448-816f-e25e0ba3e927"/> <cybox:Observable idref="mandiant:observable-1ecb09bf-e519-408d-a92a-4bec3ef167b1"/> <cybox:Observable idref="mandiant:observable-469d5a32-a749-4e77-801f-28c5fe0f0121"/> <cybox:Observable idref="mandiant:observable-fd7d9f58-aa4a-4fa0-bbd5-6ed59aa9a8ab"/> <cybox:Observable idref="mandiant:observable-22eec523-087c-4b59-902c-b2a5f1df45f0"/> <cybox:Observable idref="mandiant:observable-677903f5-6e57-4b39-b290-151ba6e64fed"/> <cybox:Observable idref="mandiant:observable-1e1b5109-1c26-47f3-b27f-e3da4d1bf5dd"/> <cybox:Observable idref="mandiant:observable-67dc9478-25b9-44eb-bb64-e7849b9eea43"/> <cybox:Observable idref="mandiant:observable-69efd08f-e2f8-4cad-8cf8-d223be8ccdd9"/> <cybox:Observable idref="mandiant:observable-f6040ecd-84ef-4406-9997-0ffdfc6532e1"/> <cybox:Observable idref="mandiant:observable-05f84536-25ed-4200-bc4e-85854a2520bf"/> <cybox:Observable idref="mandiant:observable-99592600-6255-43e4-bdca-68c6e8d1d0fe"/> <cybox:Observable idref="mandiant:observable-0a172ac5-81f9-4e74-b7fc-e8fd3b156ff6"/> <cybox:Observable idref="mandiant:observable-5f3ca7cf-f431-4d67-874d-ce0429742120"/> <cybox:Observable idref="mandiant:observable-4753ad6e-f925-4d00-8b8a-93cd9a793961"/> <cybox:Observable idref="mandiant:observable-16ff8b63-7417-4ad3-af39-f5fc3293a81a"/> <cybox:Observable idref="mandiant:observable-1e515fc4-5298-4835-ac93-ccc29f70c273"/> <cybox:Observable idref="mandiant:observable-a96fc990-5cbf-4655-8119-ae542b9eb1a6"/> <cybox:Observable idref="mandiant:observable-6ecaf030-ef79-4a73-9176-cf8add0928ae"/> <cybox:Observable idref="mandiant:observable-c89cc114-47b9-4900-bde2-eed6e36fb1b0"/> <cybox:Observable idref="mandiant:observable-4e70e655-7d8b-47e3-87b2-2b78e4d24e4c"/> <cybox:Observable id="mandiant:observable-360d69d5-6897-4007-8345-e954ad37bbb0"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-ce8a4b65-765f-405d-b9f1-806e326de58b"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-33b87f92-bfe4-4cbc-a278-9f23b62c7872"/> <cybox:Observable idref="mandiant:observable-d7e3e563-91f7-4e47-bffc-41ed83c6dcf5"/> <cybox:Observable idref="mandiant:observable-8711b161-c87c-49ef-95e3-6e911e29df38"/> <cybox:Observable idref="mandiant:observable-a5a39c19-de7c-4537-b28e-eecb16ad5a69"/> <cybox:Observable idref="mandiant:observable-3fb9550e-647e-4470-844d-d3e4afbdfac4"/> <cybox:Observable idref="mandiant:observable-0f962e45-4e79-453d-b246-9d88c2e3ba3a"/> <cybox:Observable idref="mandiant:observable-9be9c7e6-ef4b-4098-a644-a81f62a47a68"/> <cybox:Observable idref="mandiant:observable-449d46a7-a9bb-4732-ba06-e10eaa0bc64d"/> <cybox:Observable idref="mandiant:observable-01d37248-c597-4266-95e1-6aabc1f7c1c9"/> <cybox:Observable idref="mandiant:observable-11e35c8c-ef8c-4000-b312-040c3e20d217"/> <cybox:Observable idref="mandiant:observable-f58b9ef8-d1e4-4c30-a610-cde6f2ee64c0"/> <cybox:Observable idref="mandiant:observable-f3768548-3229-44e3-9d18-5db1c1644dc7"/> <cybox:Observable idref="mandiant:observable-8ba28033-24e9-4b18-868a-0e239729c5ed"/> <cybox:Observable idref="mandiant:observable-9fed2d7d-2f5d-491f-b5ce-0183a298a3a2"/> <cybox:Observable idref="mandiant:observable-6522aad9-947b-4f63-a2be-20d0d0f26a9d"/> <cybox:Observable idref="mandiant:observable-bfdf0133-a503-4d67-be46-2cfb4be9f305"/> <cybox:Observable idref="mandiant:observable-7927d9ba-06fd-4a77-b3a7-cb3038d6afb5"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-6f22129d-f752-4e6a-a293-dacb2d9d5eac"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-87b67e2a-ca0d-481f-b39e-1837ed188a57"/> <cybox:Observable idref="mandiant:observable-b9322946-8901-4d77-a1be-e466fd6601a4"/> <cybox:Observable idref="mandiant:observable-cb8c47c3-6fe5-49e3-b6c6-2d51ee247717"/> <cybox:Observable idref="mandiant:observable-c348c561-9c3f-49b9-9808-a170c48e5461"/> <cybox:Observable idref="mandiant:observable-36cfc9da-bf4f-4c12-bfef-2f840b50730e"/> <cybox:Observable idref="mandiant:observable-4fdee7b7-190e-4198-a3a7-bd46c5b2dfe5"/> <cybox:Observable idref="mandiant:observable-55820c9e-d099-4e0f-abe7-79d4d5e29ea8"/> <cybox:Observable idref="mandiant:observable-c5173eec-a8ad-4064-9ebf-8d8991e2eb60"/> <cybox:Observable idref="mandiant:observable-dfb7e07f-0306-4ec0-91be-26410393f1b4"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-e67f0d37-6dbd-4e50-aa1d-eb74f5702e8c"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2eedbeb8-e2cc-4cd4-9dfa-ef29128b1f76"/> <cybox:Observable idref="mandiant:observable-51c7acd6-9d75-4ed4-a439-48c08b52b930"/> <cybox:Observable idref="mandiant:observable-86ce12af-1d2c-4de8-b488-aa1dcd582817"/> <cybox:Observable idref="mandiant:observable-7805a253-7812-4d78-baee-3f397ecb4ffd"/> <cybox:Observable idref="mandiant:observable-79829e8c-e486-4988-8985-72798b068a19"/> <cybox:Observable idref="mandiant:observable-9e3edd07-bc07-4e7b-a5f2-df985855a0ca"/> <cybox:Observable idref="mandiant:observable-b5a279f6-2539-41c7-97c0-c95e4072b099"/> <cybox:Observable idref="mandiant:observable-593686f2-abdd-4550-8c5c-564b1393afaa"/> <cybox:Observable idref="mandiant:observable-8147833c-a9c1-405a-b127-02d64bd9b75b"/> <cybox:Observable idref="mandiant:observable-47c27957-4181-4db6-a75e-bfaa93aa1e32"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-fe742a39-dcf4-448b-921f-ec6201252ffd"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-8efe257a-6b96-4e36-8729-1f3694c81b9c"/> <cybox:Observable id="mandiant:observable-01cedd3a-096e-4744-b0ef-746da37e2c45"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-fea984ed-f114-4ab0-aa3f-242eedd4e9fc"/> <cybox:Observable idref="mandiant:observable-fde7acb4-88a3-46ee-a098-ead6ed6e3907"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-ca140995-5fd9-42f4-b4e5-969526867613"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-1c56079b-e20c-4bb0-a4aa-983bad429b05"/> <cybox:Observable idref="mandiant:observable-ff1d640b-7855-4b82-8d5f-a3a40aba300d"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="7f9a6986-f00a-4071-99d3-484c9158beba" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-RAVE (FAMILY)</short_description> <description>A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware will set itself up as a service and connect out to a hardcoded web page and read a modified base64 string from this webpage. The later versions of this malware supports three commands (earlier ones are just downloaders or reverse shells). The first commands will sleep the malware for N number of hours. The second command will download a binary from the encoded HTML comment and execute it on the infected host. The third will spawn an encoded reverse shell to an attacker specified location and port.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">WEBC2-RAVE</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="f96c7900-0cf5-4199-b314-860a1cdc008e"> <IndicatorItem id="c1add49c-34fa-45bc-8cba-3bb3b6b94d36" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3fc26910f9c31bd9ba3ccb09132d9ca3</Content> </IndicatorItem> <IndicatorItem id="4de1e7fa-5a91-48c3-83bb-3ad3df36f9a8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f81991fab3b7d58d66629e26d21176ed</Content> </IndicatorItem> <IndicatorItem id="16d2c8e0-8743-47d9-b0ff-11334904bc98" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2198fea94bb79b001fcfd3e03b269001</Content> </IndicatorItem> <IndicatorItem id="48884b2b-ad30-4db8-8f3c-581f22d62b90" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dba356a4726b94731e6ea97aa73cfc3f</Content> </IndicatorItem> <IndicatorItem id="8232c084-291c-4708-8621-630359641277" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a44312eb63de002383a57b5a93271cdc</Content> </IndicatorItem> <IndicatorItem id="182b86fb-ffec-4448-816f-e25e0ba3e927" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9f11bc08af048c5c3a110e567082fe0b</Content> </IndicatorItem> <IndicatorItem id="1ecb09bf-e519-408d-a92a-4bec3ef167b1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ef349196b0ffef5a02d30413c8dffc7c</Content> </IndicatorItem> <IndicatorItem id="469d5a32-a749-4e77-801f-28c5fe0f0121" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">76c1b246703a10cb6e71a3e5b7b55b24</Content> </IndicatorItem> <IndicatorItem id="fd7d9f58-aa4a-4fa0-bbd5-6ed59aa9a8ab" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dc1cff84900afc9d292b305f9b9aae34</Content> </IndicatorItem> <IndicatorItem id="22eec523-087c-4b59-902c-b2a5f1df45f0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bdd2ad4c0e1e5667d117810ae9e36c4b</Content> </IndicatorItem> <IndicatorItem id="677903f5-6e57-4b39-b290-151ba6e64fed" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">277f95bff2e0fe317f86b5010bd83a18</Content> </IndicatorItem> <IndicatorItem id="1e1b5109-1c26-47f3-b27f-e3da4d1bf5dd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1aea4d24f3bd2c51288ad643fc66e0d2</Content> </IndicatorItem> <IndicatorItem id="67dc9478-25b9-44eb-bb64-e7849b9eea43" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d197c388184fef263b7944a7186bc6db</Content> </IndicatorItem> <IndicatorItem id="69efd08f-e2f8-4cad-8cf8-d223be8ccdd9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">129c6cd9d2aa895cf6fa137fa1d3a188</Content> </IndicatorItem> <IndicatorItem id="f6040ecd-84ef-4406-9997-0ffdfc6532e1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c8d2b7f92fff545b3b19e9b1e1057071</Content> </IndicatorItem> <IndicatorItem id="05f84536-25ed-4200-bc4e-85854a2520bf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5bcaa2f4bc7567f6ffd5507a161e221a</Content> </IndicatorItem> <IndicatorItem id="99592600-6255-43e4-bdca-68c6e8d1d0fe" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">438983192903f3fecf77500a39459ee6</Content> </IndicatorItem> <IndicatorItem id="0a172ac5-81f9-4e74-b7fc-e8fd3b156ff6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">59620925bf1c4f760c4bf225c7efd6c0</Content> </IndicatorItem> <IndicatorItem id="5f3ca7cf-f431-4d67-874d-ce0429742120" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bca9bd0abbb31a422458abf521a6a2fb</Content> </IndicatorItem> <IndicatorItem id="4753ad6e-f925-4d00-8b8a-93cd9a793961" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">db5805604f84b7303fa04feb18ce8271</Content> </IndicatorItem> <IndicatorItem id="16ff8b63-7417-4ad3-af39-f5fc3293a81a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0e84132e5ad04351b644b8d8743fc4d3</Content> </IndicatorItem> <IndicatorItem id="1e515fc4-5298-4835-ac93-ccc29f70c273" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a2534e9b7e4146368ea3245381830eb0</Content> </IndicatorItem> <IndicatorItem id="a96fc990-5cbf-4655-8119-ae542b9eb1a6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">04f481d6710ac5d68d0eacac2600a041</Content> </IndicatorItem> <IndicatorItem id="6ecaf030-ef79-4a73-9176-cf8add0928ae" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bf0ee4367ea32f8e3b911c304258e439</Content> </IndicatorItem> <IndicatorItem id="c89cc114-47b9-4900-bde2-eed6e36fb1b0" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">services\devfs</Content> <Comment>registry entries created by some variants</Comment> </IndicatorItem> <IndicatorItem id="4e70e655-7d8b-47e3-87b2-2b78e4d24e4c" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">services\oseasv</Content> <Comment>registry entries created by some variants</Comment> </IndicatorItem> <Indicator operator="AND" id="360d69d5-6897-4007-8345-e954ad37bbb0"> <Indicator operator="OR" id="ce8a4b65-765f-405d-b9f1-806e326de58b"> <IndicatorItem id="33b87f92-bfe4-4cbc-a278-9f23b62c7872" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">sacard.exe</Content> </IndicatorItem> <IndicatorItem id="d7e3e563-91f7-4e47-bffc-41ed83c6dcf5" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">mci.jpg</Content> </IndicatorItem> <IndicatorItem id="8711b161-c87c-49ef-95e3-6e911e29df38" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">dfhost.exe</Content> </IndicatorItem> <IndicatorItem id="a5a39c19-de7c-4537-b28e-eecb16ad5a69" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wmicide.exe</Content> </IndicatorItem> <IndicatorItem id="3fb9550e-647e-4470-844d-d3e4afbdfac4" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wmiprvse.exe</Content> </IndicatorItem> <IndicatorItem id="0f962e45-4e79-453d-b246-9d88c2e3ba3a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">listen.exe</Content> </IndicatorItem> <IndicatorItem id="9be9c7e6-ef4b-4098-a644-a81f62a47a68" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">oobewmiprvse.exe</Content> </IndicatorItem> <IndicatorItem id="449d46a7-a9bb-4732-ba06-e10eaa0bc64d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">a.exe</Content> </IndicatorItem> <IndicatorItem id="01d37248-c597-4266-95e1-6aabc1f7c1c9" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">msctcwmiprvse.exe</Content> </IndicatorItem> <IndicatorItem id="11e35c8c-ef8c-4000-b312-040c3e20d217" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">winsrv.exe</Content> </IndicatorItem> <IndicatorItem id="f58b9ef8-d1e4-4c30-a610-cde6f2ee64c0" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">adress.jpg</Content> </IndicatorItem> <IndicatorItem id="f3768548-3229-44e3-9d18-5db1c1644dc7" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">adress2.jpg</Content> </IndicatorItem> <IndicatorItem id="8ba28033-24e9-4b18-868a-0e239729c5ed" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">abc.gif</Content> </IndicatorItem> <IndicatorItem id="9fed2d7d-2f5d-491f-b5ce-0183a298a3a2" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">devfs.exe</Content> </IndicatorItem> <IndicatorItem id="6522aad9-947b-4f63-a2be-20d0d0f26a9d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cft.exe</Content> </IndicatorItem> <IndicatorItem id="bfdf0133-a503-4d67-be46-2cfb4be9f305" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 12% samples.</Comment> </IndicatorItem> <IndicatorItem id="7927d9ba-06fd-4a77-b3a7-cb3038d6afb5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="6f22129d-f752-4e6a-a293-dacb2d9d5eac"> <IndicatorItem id="87b67e2a-ca0d-481f-b39e-1837ed188a57" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">11264</Content> </IndicatorItem> <IndicatorItem id="b9322946-8901-4d77-a1be-e466fd6601a4" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">13824</Content> </IndicatorItem> <IndicatorItem id="cb8c47c3-6fe5-49e3-b6c6-2d51ee247717" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">13825</Content> </IndicatorItem> <IndicatorItem id="c348c561-9c3f-49b9-9808-a170c48e5461" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">15872</Content> </IndicatorItem> <IndicatorItem id="36cfc9da-bf4f-4c12-bfef-2f840b50730e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">15873</Content> </IndicatorItem> <IndicatorItem id="4fdee7b7-190e-4198-a3a7-bd46c5b2dfe5" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">16384</Content> </IndicatorItem> <IndicatorItem id="55820c9e-d099-4e0f-abe7-79d4d5e29ea8" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">8704</Content> </IndicatorItem> <IndicatorItem id="c5173eec-a8ad-4064-9ebf-8d8991e2eb60" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">9216</Content> </IndicatorItem> <IndicatorItem id="dfb7e07f-0306-4ec0-91be-26410393f1b4" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">9728</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="e67f0d37-6dbd-4e50-aa1d-eb74f5702e8c"> <IndicatorItem id="2eedbeb8-e2cc-4cd4-9dfa-ef29128b1f76" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-02T07:45:46Z</Content> </IndicatorItem> <IndicatorItem id="51c7acd6-9d75-4ed4-a439-48c08b52b930" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-10-27T07:23:52Z</Content> </IndicatorItem> <IndicatorItem id="86ce12af-1d2c-4de8-b488-aa1dcd582817" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-11-11T06:33:02Z</Content> </IndicatorItem> <IndicatorItem id="7805a253-7812-4d78-baee-3f397ecb4ffd" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-06-29T00:31:41Z</Content> </IndicatorItem> <IndicatorItem id="79829e8c-e486-4988-8985-72798b068a19" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-08-04T02:47:55Z</Content> </IndicatorItem> <IndicatorItem id="9e3edd07-bc07-4e7b-a5f2-df985855a0ca" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-09-19T08:33:34Z</Content> </IndicatorItem> <IndicatorItem id="b5a279f6-2539-41c7-97c0-c95e4072b099" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-09-19T08:34:11Z</Content> </IndicatorItem> <IndicatorItem id="593686f2-abdd-4550-8c5c-564b1393afaa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-12-06T00:38:26Z</Content> </IndicatorItem> <IndicatorItem id="8147833c-a9c1-405a-b127-02d64bd9b75b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-04-21T16:30:21Z</Content> </IndicatorItem> <IndicatorItem id="47c27957-4181-4db6-a75e-bfaa93aa1e32" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-02-28T11:48:43Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="fe742a39-dcf4-448b-921f-ec6201252ffd"> <IndicatorItem id="8efe257a-6b96-4e36-8729-1f3694c81b9c" condition="contains"> <Context document="ServiceItem" search="ServiceItem/description" type="mir"/> <Content type="string">Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.</Content> <Comment>service information set up by some variants of this malware</Comment> </IndicatorItem> <Indicator operator="OR" id="b0154d79-9d79-4483-97c3-c3df885bc79d"> <IndicatorItem id="9ac41220-f3fd-4f72-8262-6277dec37103" condition="contains"> <Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir"/> <Content type="string">Device File System</Content> </IndicatorItem> <IndicatorItem id="53d3278c-fdb4-4b02-b274-d3c101bb88b5" condition="contains"> <Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir"/> <Content type="string">Office Engine Service</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="01cedd3a-096e-4744-b0ef-746da37e2c45"> <IndicatorItem id="fea984ed-f114-4ab0-aa3f-242eedd4e9fc" condition="contains"> <Context document="ServiceItem" search="ServiceItem/name" type="mir"/> <Content type="string">DevFS</Content> </IndicatorItem> <IndicatorItem id="fde7acb4-88a3-46ee-a098-ead6ed6e3907" condition="contains"> <Context document="ServiceItem" search="ServiceItem/name" type="mir"/> <Content type="string">OSEASV</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="ca140995-5fd9-42f4-b4e5-969526867613"> <IndicatorItem id="1c56079b-e20c-4bb0-a4aa-983bad429b05" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">\services\devfs\dependondevice</Content> <Comment>registry entries created by some variants</Comment> </IndicatorItem> <IndicatorItem id="ff1d640b-7855-4b82-8d5f-a3a40aba300d" condition="is"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">plugplay</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-71a95442-f246-4c8c-8c4d-d24107401974"> <indicator:Title>WEBC2-HEAD (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-HEAD variant communicates over HTTPS, using the system's SSL implementation to encrypt all communications with the C2 server. WEBC2-HEAD first issues an HTTP GET to the host, sending the Base64-encoded string containing the name of the compromised machine running the malware. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-89d01fdf-5347-4deb-973a-6014be53b868"/> <cybox:Observable idref="mandiant:observable-10ceb470-6f01-4b8a-944c-664851ad8c59"/> <cybox:Observable idref="mandiant:observable-63e0fc42-2bd4-47ed-8ec0-1806f476a424"/> <cybox:Observable idref="mandiant:observable-783c9b4c-e04e-4ee3-a5a3-18222996ee84"/> <cybox:Observable idref="mandiant:observable-97d31203-6d5a-4568-bf5b-495775b1c5f4"/> <cybox:Observable idref="mandiant:observable-9ab5d4a3-8172-41f6-ad34-b27086d2fc68"/> <cybox:Observable idref="mandiant:observable-2e19ed14-e88a-4beb-a45f-64f590d81fa8"/> <cybox:Observable idref="mandiant:observable-07cb9185-063f-430d-b0df-029e31f502bd"/> <cybox:Observable idref="mandiant:observable-4bae2960-7c8a-4d85-91c5-328e6695b792"/> <cybox:Observable idref="mandiant:observable-8ec00ab0-0761-476c-8b7b-e44777b2739d"/> <cybox:Observable idref="mandiant:observable-9f60046a-bba4-47f4-8d4c-c2b24ad0e510"/> <cybox:Observable idref="mandiant:observable-83dd19a8-795b-4267-ad35-a4e542c1a1d2"/> <cybox:Observable idref="mandiant:observable-5c763b02-2f45-49db-ae6d-df878f9ded97"/> <cybox:Observable idref="mandiant:observable-4db95248-85fc-4ae2-b82a-02a9964f643c"/> <cybox:Observable idref="mandiant:observable-a11bf49f-f485-4245-bd66-ce583d298dd0"/> <cybox:Observable idref="mandiant:observable-68c9dc95-3c0e-4b9e-b2e4-34b39b9558e3"/> <cybox:Observable idref="mandiant:observable-8f0226db-5e50-479b-bdd2-ed876a7eb536"/> <cybox:Observable idref="mandiant:observable-4e76fc0c-f5b8-4982-b42d-2cdacc6ef105"/> <cybox:Observable idref="mandiant:observable-3916d662-12e4-4e08-9c68-e3567d2882be"/> <cybox:Observable idref="mandiant:observable-bad6d471-29bc-4b8a-aacb-7ade3253a3f6"/> <cybox:Observable idref="mandiant:observable-a31ddb74-c0f2-4aa7-8d58-ab3957f92f61"/> <cybox:Observable idref="mandiant:observable-75598d7a-afd2-4f32-9768-5cb702bf51da"/> <cybox:Observable idref="mandiant:observable-3f922f45-81f4-4444-b308-3e0d933ff987"/> <cybox:Observable idref="mandiant:observable-8e172d1f-6059-4d66-b43b-2c1098394b11"/> <cybox:Observable idref="mandiant:observable-abf69db6-2486-42b2-b4cb-7dd045066953"/> <cybox:Observable idref="mandiant:observable-47074f5c-f25c-4c94-9285-7dd8354bce19"/> <cybox:Observable idref="mandiant:observable-1c0b8e7e-6839-47ad-a247-a55dbefb0ab0"/> <cybox:Observable idref="mandiant:observable-7d032780-5f9c-4a92-958e-b1bfc6eca02d"/> <cybox:Observable idref="mandiant:observable-6655c7f5-b472-4c7d-bad2-548cf4fa9ec6"/> <cybox:Observable idref="mandiant:observable-b7db2c18-a757-4e3c-8678-e0703beaf468"/> <cybox:Observable idref="mandiant:observable-08dd7a96-cfee-4761-94df-5a8c205819de"/> <cybox:Observable idref="mandiant:observable-6f2e80e6-7915-423f-8d00-266c3d2d955c"/> <cybox:Observable idref="mandiant:observable-7ebbcc68-a66e-4aa5-b4f5-3c764964f189"/> <cybox:Observable id="mandiant:observable-7135ed2a-ba81-4cda-8397-f4de667e2f4d"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-0dfdcb53-cd8f-4dd8-b43d-6d1732d44416"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2a53eb16-147e-44d9-b05d-1639874fd1c5"/> <cybox:Observable idref="mandiant:observable-4743d2c9-bb76-4e66-89fe-ee191ba344cb"/> <cybox:Observable idref="mandiant:observable-9e5cc91d-3f93-49aa-8c5a-4f1587e44fc2"/> <cybox:Observable idref="mandiant:observable-ee4a1db8-b481-4917-a571-dd42f67ce452"/> <cybox:Observable idref="mandiant:observable-7c0bc200-db6e-4f2a-b5a5-05f8f4af74bf"/> <cybox:Observable idref="mandiant:observable-9346ec75-3e2d-46ae-8ddb-d0cc07000d62"/> <cybox:Observable idref="mandiant:observable-66e24ed6-8651-407c-9cce-84eed875b4f2"/> <cybox:Observable idref="mandiant:observable-8a3d2388-fb2a-4729-a558-887cd499d01a"/> <cybox:Observable idref="mandiant:observable-d4e37669-26a0-434c-92db-136716a6ff35"/> <cybox:Observable idref="mandiant:observable-91bab107-f338-4ddf-a27f-30a4c312a6a9"/> <cybox:Observable idref="mandiant:observable-d019f76e-8ad0-446c-b9e2-55e8009541fd"/> <cybox:Observable idref="mandiant:observable-35ee3e81-018b-4f20-b6c6-cd1d87fc2bc9"/> <cybox:Observable idref="mandiant:observable-fe35e708-0ad7-4265-9cfa-1c1a95dfff46"/> <cybox:Observable idref="mandiant:observable-6dc2762a-2537-43f6-82e0-83aa2c5d4f3b"/> <cybox:Observable idref="mandiant:observable-c54ed757-c625-4793-85f9-cd252d27766a"/> <cybox:Observable idref="mandiant:observable-64b68c63-4e0f-4554-b2dd-80c69bdadee9"/> <cybox:Observable idref="mandiant:observable-2a176b0e-a5ff-4ddb-b71d-409ae64f6421"/> <cybox:Observable idref="mandiant:observable-9af90e26-5f6d-4d28-999b-1ac2e0070daf"/> <cybox:Observable idref="mandiant:observable-9ef8f35e-126b-4a82-9363-18a6c58f7a1c"/> <cybox:Observable idref="mandiant:observable-2f405b26-4ed9-42bb-b2df-0b2f72f84e0a"/> <cybox:Observable idref="mandiant:observable-520dcdaa-d471-4e30-9357-9f2a2de998b1"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-6eb0cbbc-bfee-4105-b0b9-8e8328cc99d4"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-4235e966-ca89-4152-bad5-3ccda3d91b7b"/> <cybox:Observable idref="mandiant:observable-98450866-adce-4de0-a983-9da010d69773"/> <cybox:Observable idref="mandiant:observable-4fad1b1f-da0f-4fa2-862f-0914d1acda36"/> <cybox:Observable idref="mandiant:observable-9321d1b2-d7d7-4280-82cb-8f509f08061f"/> <cybox:Observable idref="mandiant:observable-3e0d5906-dc92-44ff-83c1-a3b5d36a5a23"/> <cybox:Observable idref="mandiant:observable-c88f9908-09d9-4edf-88a1-d145a58dbfce"/> <cybox:Observable idref="mandiant:observable-2086c397-aeb8-49e3-801c-c6cd8f2dffe1"/> <cybox:Observable idref="mandiant:observable-ac23a385-168a-4417-866f-6f77bcf54c17"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-5ff7cc2d-036c-4f60-8d4c-089330f887a5"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-fffcef61-8d62-4087-9547-1646798e6795"/> <cybox:Observable idref="mandiant:observable-1da4e5e4-add0-4a14-b068-9226010ba200"/> <cybox:Observable idref="mandiant:observable-89a1de8b-8909-40cd-9550-40fede1c34d2"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-2caec9c2-5fda-47ef-af1d-b41b8f88a47e"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-b9821754-15c1-4c1f-ad2e-03b6afb37dad"/> <cybox:Observable idref="mandiant:observable-5dded4ed-ee4e-4a14-96e2-c6d88765f6c9"/> <cybox:Observable idref="mandiant:observable-6580689b-fa05-42de-b122-b2aabf301ca3"/> <cybox:Observable idref="mandiant:observable-88bdff38-0be0-409e-8587-4d96d4493e35"/> <cybox:Observable idref="mandiant:observable-a2cde4e6-e17b-487a-b6fa-d5d8884b4084"/> <cybox:Observable idref="mandiant:observable-6c4ba9bd-abc0-4fb0-b6aa-fb4fa34b8b9f"/> <cybox:Observable idref="mandiant:observable-869563a4-10ba-477e-8c13-1c27ec4968c5"/> <cybox:Observable idref="mandiant:observable-df849d44-e90e-4224-83f8-da506a119fec"/> <cybox:Observable idref="mandiant:observable-f08e1658-4af5-412e-bf4d-a85a78b00c4b"/> <cybox:Observable idref="mandiant:observable-2da915b4-8247-49d2-a55d-17c548c37675"/> <cybox:Observable idref="mandiant:observable-37f1e8c5-9356-4435-8e4e-ae84da188dfc"/> <cybox:Observable idref="mandiant:observable-d663e045-3be0-4140-9ed7-0844c2a47403"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="806beff3-7395-492e-be63-99a6b4a550b8" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-HEAD (FAMILY)</short_description> <description>The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-HEAD variant communicates over HTTPS, using the system's SSL implementation to encrypt all communications with the C2 server. WEBC2-HEAD first issues an HTTP GET to the host, sending the Base64-encoded string containing the name of the compromised machine running the malware.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">WEBC2-HEAD</link> </links> <definition> <Indicator operator="OR" id="71a95442-f246-4c8c-8c4d-d24107401974"> <IndicatorItem id="89d01fdf-5347-4deb-973a-6014be53b868" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f627990bbe2ec5c48c180f724490c332</Content> </IndicatorItem> <IndicatorItem id="10ceb470-6f01-4b8a-944c-664851ad8c59" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea7309fa59e9347a0715f164edf6b200</Content> </IndicatorItem> <IndicatorItem id="63e0fc42-2bd4-47ed-8ec0-1806f476a424" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b74022a7b9b63fdc541ae0848b28a962</Content> </IndicatorItem> <IndicatorItem id="783c9b4c-e04e-4ee3-a5a3-18222996ee84" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d2c616bf238fc18f9ea0a1643bd2d4bc</Content> </IndicatorItem> <IndicatorItem id="97d31203-6d5a-4568-bf5b-495775b1c5f4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">88c7c50cd4130561d57a1d3b82c5b953</Content> </IndicatorItem> <IndicatorItem id="9ab5d4a3-8172-41f6-ad34-b27086d2fc68" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0ff48a336655869a74611236e6e2d249</Content> </IndicatorItem> <IndicatorItem id="2e19ed14-e88a-4beb-a45f-64f590d81fa8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec8c89aa5e521572c74e2dd02a4daf78</Content> </IndicatorItem> <IndicatorItem id="07cb9185-063f-430d-b0df-029e31f502bd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">973f4a238d6d19bdc7b42977b07b9cef</Content> </IndicatorItem> <IndicatorItem id="4bae2960-7c8a-4d85-91c5-328e6695b792" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">165ef79e7caa806f13f82cc2bbf3dedd</Content> </IndicatorItem> <IndicatorItem id="8ec00ab0-0761-476c-8b7b-e44777b2739d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ef29229f7b633f634db3a5c49a3f4a1c</Content> </IndicatorItem> <IndicatorItem id="9f60046a-bba4-47f4-8d4c-c2b24ad0e510" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3f34e41d8ea034e6246ef6426bc91336</Content> </IndicatorItem> <IndicatorItem id="83dd19a8-795b-4267-ad35-a4e542c1a1d2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d263fed2e1c18f2cb439afcef0cd1b45</Content> </IndicatorItem> <IndicatorItem id="5c763b02-2f45-49db-ae6d-df878f9ded97" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">611b1577ba976f76fc01368545bc395c</Content> </IndicatorItem> <IndicatorItem id="4db95248-85fc-4ae2-b82a-02a9964f643c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2f5979eaa728550a352c1ffee0b31236</Content> </IndicatorItem> <IndicatorItem id="a11bf49f-f485-4245-bd66-ce583d298dd0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a17bb80ae02c8b003cf69222fa13f506</Content> </IndicatorItem> <IndicatorItem id="68c9dc95-3c0e-4b9e-b2e4-34b39b9558e3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">02a2d148faba3b6310e7ba81eb62739d</Content> </IndicatorItem> <IndicatorItem id="8f0226db-5e50-479b-bdd2-ed876a7eb536" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">24c4ed0a6cc4e9671b72c104977fa215</Content> </IndicatorItem> <IndicatorItem id="4e76fc0c-f5b8-4982-b42d-2cdacc6ef105" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">649d54bc9eef5a60a4b9d8b889fee139</Content> </IndicatorItem> <IndicatorItem id="3916d662-12e4-4e08-9c68-e3567d2882be" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d802a0c3e0c3dcac43877bd488f2b042</Content> </IndicatorItem> <IndicatorItem id="bad6d471-29bc-4b8a-aacb-7ade3253a3f6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">078f1e2c528f2318b073e871f73efc21</Content> </IndicatorItem> <IndicatorItem id="a31ddb74-c0f2-4aa7-8d58-ab3957f92f61" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7b42b35832855ab4ff37ae9b8fa9e571</Content> </IndicatorItem> <IndicatorItem id="75598d7a-afd2-4f32-9768-5cb702bf51da" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">37df1896ba54e85ef549ccc1a88d34ab</Content> </IndicatorItem> <IndicatorItem id="3f922f45-81f4-4444-b308-3e0d933ff987" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">22d9466d6aab8410bea006b5d3df8bd0</Content> </IndicatorItem> <IndicatorItem id="8e172d1f-6059-4d66-b43b-2c1098394b11" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0d678350f05b274844da5d79fee75324</Content> </IndicatorItem> <IndicatorItem id="abf69db6-2486-42b2-b4cb-7dd045066953" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ba6fee7d4e73752b39a09b1396b69f0</Content> </IndicatorItem> <IndicatorItem id="47074f5c-f25c-4c94-9285-7dd8354bce19" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">40ee45b1343406b6f7ad6204f1af7693</Content> </IndicatorItem> <IndicatorItem id="1c0b8e7e-6839-47ad-a247-a55dbefb0ab0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c3dbd79adfa21706f5451cc68331d31e</Content> </IndicatorItem> <IndicatorItem id="7d032780-5f9c-4a92-958e-b1bfc6eca02d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e55f7d80d99b6aacb0c8d9ed46856d25</Content> </IndicatorItem> <IndicatorItem id="6655c7f5-b472-4c7d-bad2-548cf4fa9ec6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c4c638750526e28f68d6d71fd1266bdf</Content> </IndicatorItem> <IndicatorItem id="b7db2c18-a757-4e3c-8678-e0703beaf468" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fad92f849e3bbfab211af339eb6a8d66</Content> </IndicatorItem> <IndicatorItem id="08dd7a96-cfee-4761-94df-5a8c205819de" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c9172b3e83c782bc930c06b628f31fa5</Content> </IndicatorItem> <IndicatorItem id="6f2e80e6-7915-423f-8d00-266c3d2d955c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7eedcd6d00b4f08b825b4c134b6d8f1a</Content> </IndicatorItem> <IndicatorItem id="7ebbcc68-a66e-4aa5-b4f5-3c764964f189" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">new.new</Content> </IndicatorItem> <Indicator operator="AND" id="7135ed2a-ba81-4cda-8397-f4de667e2f4d"> <Indicator operator="OR" id="0dfdcb53-cd8f-4dd8-b43d-6d1732d44416"> <IndicatorItem id="2a53eb16-147e-44d9-b05d-1639874fd1c5" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cisvc.exe</Content> </IndicatorItem> <IndicatorItem id="4743d2c9-bb76-4e66-89fe-ee191ba344cb" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cisvc(00).exe</Content> </IndicatorItem> <IndicatorItem id="9e5cc91d-3f93-49aa-8c5a-4f1587e44fc2" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cisvc(01).exe</Content> </IndicatorItem> <IndicatorItem id="ee4a1db8-b481-4917-a571-dd42f67ce452" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cisvc(04).exe</Content> </IndicatorItem> <IndicatorItem id="7c0bc200-db6e-4f2a-b5a5-05f8f4af74bf" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cisvc(05).exe</Content> </IndicatorItem> <IndicatorItem id="9346ec75-3e2d-46ae-8ddb-d0cc07000d62" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cisvc1.exe</Content> </IndicatorItem> <IndicatorItem id="66e24ed6-8651-407c-9cce-84eed875b4f2" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">debugcss.exe</Content> </IndicatorItem> <IndicatorItem id="8a3d2388-fb2a-4729-a558-887cd499d01a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">helpsvc.dll</Content> </IndicatorItem> <IndicatorItem id="d4e37669-26a0-434c-92db-136716a6ff35" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">iexplore.exe</Content> </IndicatorItem> <IndicatorItem id="91bab107-f338-4ddf-a27f-30a4c312a6a9" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">inetinfo.exe</Content> </IndicatorItem> <IndicatorItem id="d019f76e-8ad0-446c-b9e2-55e8009541fd" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">once.exe</Content> </IndicatorItem> <IndicatorItem id="35ee3e81-018b-4f20-b6c6-cd1d87fc2bc9" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">spoolsv.exe</Content> </IndicatorItem> <IndicatorItem id="fe35e708-0ad7-4265-9cfa-1c1a95dfff46" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">spoolsv1.exe</Content> </IndicatorItem> <IndicatorItem id="6dc2762a-2537-43f6-82e0-83aa2c5d4f3b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">spoolsv2.exe</Content> </IndicatorItem> <IndicatorItem id="c54ed757-c625-4793-85f9-cd252d27766a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">spoolsv4.exe</Content> </IndicatorItem> <IndicatorItem id="64b68c63-4e0f-4554-b2dd-80c69bdadee9" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">spoolsv5.exe</Content> </IndicatorItem> <IndicatorItem id="2a176b0e-a5ff-4ddb-b71d-409ae64f6421" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">spoolsv6.exe</Content> </IndicatorItem> <IndicatorItem id="9af90e26-5f6d-4d28-999b-1ac2e0070daf" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">spoolsv7.exe</Content> </IndicatorItem> <IndicatorItem id="9ef8f35e-126b-4a82-9363-18a6c58f7a1c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">adobearm.exe</Content> </IndicatorItem> <IndicatorItem id="2f405b26-4ed9-42bb-b2df-0b2f72f84e0a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 84% samples.</Comment> </IndicatorItem> <IndicatorItem id="520dcdaa-d471-4e30-9357-9f2a2de998b1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 3% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="6eb0cbbc-bfee-4105-b0b9-8e8328cc99d4"> <IndicatorItem id="4235e966-ca89-4152-bad5-3ccda3d91b7b" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">10233</Content> </IndicatorItem> <IndicatorItem id="98450866-adce-4de0-a983-9da010d69773" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">34250</Content> </IndicatorItem> <IndicatorItem id="4fad1b1f-da0f-4fa2-862f-0914d1acda36" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">34304</Content> </IndicatorItem> <IndicatorItem id="9321d1b2-d7d7-4280-82cb-8f509f08061f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">34305</Content> </IndicatorItem> <IndicatorItem id="3e0d5906-dc92-44ff-83c1-a3b5d36a5a23" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">38857</Content> </IndicatorItem> <IndicatorItem id="c88f9908-09d9-4edf-88a1-d145a58dbfce" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">39369</Content> </IndicatorItem> <IndicatorItem id="2086c397-aeb8-49e3-801c-c6cd8f2dffe1" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">50688</Content> </IndicatorItem> <IndicatorItem id="ac23a385-168a-4417-866f-6f77bcf54c17" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">9728</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="5ff7cc2d-036c-4f60-8d4c-089330f887a5"> <IndicatorItem id="fffcef61-8d62-4087-9547-1646798e6795" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-08-03T08:29:29Z</Content> </IndicatorItem> <IndicatorItem id="1da4e5e4-add0-4a14-b068-9226010ba200" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-02-11T03:27:04Z</Content> </IndicatorItem> <IndicatorItem id="89a1de8b-8909-40cd-9550-40fede1c34d2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-07-19T01:55:13Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="2caec9c2-5fda-47ef-af1d-b41b8f88a47e"> <IndicatorItem id="b9821754-15c1-4c1f-ad2e-03b6afb37dad" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">createpipe</Content> </IndicatorItem> <IndicatorItem id="5dded4ed-ee4e-4a14-96e2-c6d88765f6c9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">peeknamedpipe</Content> </IndicatorItem> <IndicatorItem id="6580689b-fa05-42de-b122-b2aabf301ca3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">sleep</Content> </IndicatorItem> <IndicatorItem id="88bdff38-0be0-409e-8587-4d96d4493e35" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">getsystemdirectorya</Content> </IndicatorItem> <IndicatorItem id="a2cde4e6-e17b-487a-b6fa-d5d8884b4084" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">loadlibrarya</Content> </IndicatorItem> <IndicatorItem id="6c4ba9bd-abc0-4fb0-b6aa-fb4fa34b8b9f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">writefile</Content> </IndicatorItem> <IndicatorItem id="869563a4-10ba-477e-8c13-1c27ec4968c5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">getlasterror</Content> </IndicatorItem> <IndicatorItem id="df849d44-e90e-4224-83f8-da506a119fec" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">terminateprocess</Content> </IndicatorItem> <IndicatorItem id="f08e1658-4af5-412e-bf4d-a85a78b00c4b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">getstartupinfoa</Content> </IndicatorItem> <IndicatorItem id="2da915b4-8247-49d2-a55d-17c548c37675" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">winhttpclosehandle</Content> </IndicatorItem> <IndicatorItem id="37f1e8c5-9356-4435-8e4e-ae84da188dfc" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">winhttpwritedata</Content> </IndicatorItem> <IndicatorItem id="d663e045-3be0-4140-9ed7-0844c2a47403" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">winhttpqueryoption</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-27d9d4b8-9230-4472-9b5c-f3783982c752"> <indicator:Title>GLOOXMAIL (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> GLOOXMAIL communicates with Google's Jabber/XMPP servers and authenticates with a hard-coded username and password. The malware can accept commands over XMPP that includes file upload and download, provide a remote shell, sending process listings, and terminating specified processes. The malware makes extensive use of the open source gloox library (http://camaya.net/gloox/, version 0.9.9.12) to communicate using the Jabber/XMPP protocol. All communications with the Google XMPP server are encrypted. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-43b83cf6-f932-4d87-81bc-bf4ec5d85887"/> <cybox:Observable idref="mandiant:observable-088f65aa-e06d-4a8d-892d-31d3db8499b1"/> <cybox:Observable idref="mandiant:observable-9055cf95-35e3-4e9c-b628-e30d72704fd2"/> <cybox:Observable idref="mandiant:observable-d5d2e783-fa76-4737-a1f3-c26a31779c18"/> <cybox:Observable id="mandiant:observable-6fe03ba2-a021-4e58-923f-8c8eb71db1ca"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-c8632c29-cf72-44ee-960d-c76fdfed311a"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-b9063d6c-7704-4fbc-bab6-a01b333fe300"/> <cybox:Observable idref="mandiant:observable-4476d37f-d9c6-4d6e-9f55-ff026e152fef"/> <cybox:Observable idref="mandiant:observable-bdcb3388-374c-4ac3-abaf-1d4afd7a9173"/> <cybox:Observable idref="mandiant:observable-5282e97b-24d0-4152-aabe-80070dfc1b0a"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-469b18fa-9852-46f0-832e-dadc01a1b3c8"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-d15737cf-e233-47ec-9819-9edd83716ed6"/> <cybox:Observable idref="mandiant:observable-9a4ca9de-bc81-446a-ae17-6869eb21c60c"/> <cybox:Observable idref="mandiant:observable-43c2ca55-e3fe-43ec-a950-d610a5b293a0"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-e440bc25-1e64-4783-a53b-16ff9bd57b96"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-a787a4bc-d945-459d-8ab3-efea1265359b"/> <cybox:Observable idref="mandiant:observable-53751ff0-4533-4698-a1e3-5770b4974adb"/> <cybox:Observable idref="mandiant:observable-d92978d0-d5b5-4e87-a1c9-19ab6efca287"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="84f04df2-25cd-4f59-a920-448d8843b6fc" last-modified="2013-02-10T13:00:00"> <short_description>GLOOXMAIL (FAMILY)</short_description> <description>GLOOXMAIL communicates with Google's Jabber/XMPP servers and authenticates with a hard-coded username and password. The malware can accept commands over XMPP that includes file upload and download, provide a remote shell, sending process listings, and terminating specified processes. The malware makes extensive use of the open source gloox library (http://camaya.net/gloox/, version 0.9.9.12) to communicate using the Jabber/XMPP protocol. All communications with the Google XMPP server are encrypted.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">GLOOXMAIL</link> </links> <definition> <Indicator operator="OR" id="27d9d4b8-9230-4472-9b5c-f3783982c752"> <IndicatorItem id="43b83cf6-f932-4d87-81bc-bf4ec5d85887" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8845cb5b4e450cb10a3b6ca41a9b4319</Content> </IndicatorItem> <IndicatorItem id="088f65aa-e06d-4a8d-892d-31d3db8499b1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3de1bd0f2107198931177b2b23877df4</Content> </IndicatorItem> <IndicatorItem id="9055cf95-35e3-4e9c-b628-e30d72704fd2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d5fd1ce9189cd54f157d691e317c0821</Content> </IndicatorItem> <IndicatorItem id="d5d2e783-fa76-4737-a1f3-c26a31779c18" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">15a33f8fe11b94bdd38bff651f6a5cd1</Content> </IndicatorItem> <Indicator operator="AND" id="6fe03ba2-a021-4e58-923f-8c8eb71db1ca"> <Indicator operator="OR" id="c8632c29-cf72-44ee-960d-c76fdfed311a"> <IndicatorItem id="b9063d6c-7704-4fbc-bab6-a01b333fe300" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">GTalk.exe</Content> </IndicatorItem> <IndicatorItem id="4476d37f-d9c6-4d6e-9f55-ff026e152fef" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">googlehelp.exe</Content> </IndicatorItem> <IndicatorItem id="bdcb3388-374c-4ac3-abaf-1d4afd7a9173" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">iexplore.exe</Content> </IndicatorItem> <IndicatorItem id="5282e97b-24d0-4152-aabe-80070dfc1b0a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_mismatch</Content> <Comment>PE Header Anomaly identified in 67% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="469b18fa-9852-46f0-832e-dadc01a1b3c8"> <IndicatorItem id="d15737cf-e233-47ec-9819-9edd83716ed6" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">353792</Content> </IndicatorItem> <IndicatorItem id="9a4ca9de-bc81-446a-ae17-6869eb21c60c" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">357888</Content> </IndicatorItem> <IndicatorItem id="43c2ca55-e3fe-43ec-a950-d610a5b293a0" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">529004</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="e440bc25-1e64-4783-a53b-16ff9bd57b96"> <IndicatorItem id="a787a4bc-d945-459d-8ab3-efea1265359b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-16T09:05:19Z</Content> </IndicatorItem> <IndicatorItem id="53751ff0-4533-4698-a1e3-5770b4974adb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-31T08:26:57Z</Content> </IndicatorItem> <IndicatorItem id="d92978d0-d5b5-4e87-a1c9-19ab6efca287" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-05-28T16:04:29Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="2793b0ac-6645-4b7c-b90d-d9e3ecae9141"> <IndicatorItem id="ec42e13b-b00c-406d-b6f6-ecbc5ed873e1" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Create cmd shell failed with err code</Content> </IndicatorItem> <IndicatorItem id="3efe09fa-17a2-4b3f-96ce-1d83ad957e0e" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Exit cmd shell</Content> </IndicatorItem> <IndicatorItem id="09ac0847-1e4d-43ad-84ff-f5ea514664eb" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Abrot</Content> </IndicatorItem> <IndicatorItem id="112a4d0a-e7f2-4d15-aa01-d1607a281caa" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Create cmd shell success</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-9d11a416-43ba-42f4-bdfc-f142f04fec7a"> <indicator:Title>NEWSREELS (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> The NEWSREELS malware family is an HTTP based backdoor. When first started, NEWSREELS decodes two strings from its resources section. These strings are both used as C2 channels, one URL is used as a beacon URL (transmitting) and the second URL is used to get commands (receiving). The NEWSREELS malware family is capable of performing file uploads, downloads, creating processes or creating an interactive reverse shell. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-f3911ad0-8cb2-4edf-beab-95be9455af49"/> <cybox:Observable idref="mandiant:observable-4a41070b-8762-4792-82b1-9b4f8db0f06a"/> <cybox:Observable idref="mandiant:observable-2ea1ff18-ac07-4243-87b2-7c82ef783c8d"/> <cybox:Observable idref="mandiant:observable-93d11fa9-9587-4590-b1e8-aebfb5070176"/> <cybox:Observable idref="mandiant:observable-f968c97e-7999-458d-afc2-4e928e39984d"/> <cybox:Observable idref="mandiant:observable-185da798-290c-435c-8994-43a7645a575b"/> <cybox:Observable idref="mandiant:observable-5fe0deb5-bbab-4b83-80da-7a63d92a2e25"/> <cybox:Observable idref="mandiant:observable-51655287-cc79-4448-b203-6b61fcaefa13"/> <cybox:Observable idref="mandiant:observable-1f71c3a6-dde2-439d-932a-855e91b438a0"/> <cybox:Observable idref="mandiant:observable-70ddfe18-a63c-4235-83e1-6b7c9a5d3e38"/> <cybox:Observable idref="mandiant:observable-d26c88a1-3b1e-4f19-a9f4-ad16b50dca0e"/> <cybox:Observable idref="mandiant:observable-d9fef6a6-d8ad-4bad-acfa-7bc1f49c5d73"/> <cybox:Observable idref="mandiant:observable-012ba2a6-2b89-4de3-bcb6-7b7c34e7bbee"/> <cybox:Observable idref="mandiant:observable-73eb05bb-beb0-4586-af65-56e3e3e41581"/> <cybox:Observable idref="mandiant:observable-bdf5bfa6-bd90-4bbb-876e-4a48308c5ca5"/> <cybox:Observable idref="mandiant:observable-c59164e3-4b60-45bc-bf6f-7f80313389ab"/> <cybox:Observable idref="mandiant:observable-62fc2294-a87f-41d3-94d6-bebc5a2e8c40"/> <cybox:Observable idref="mandiant:observable-3e02f3e0-d53f-4317-b860-a81caf177ffa"/> <cybox:Observable idref="mandiant:observable-0fb0253e-2883-4895-b750-25fbbedcf275"/> <cybox:Observable idref="mandiant:observable-1dfcc05d-4ced-4f92-b7ee-9c61c247d73c"/> <cybox:Observable idref="mandiant:observable-35bdb3f9-ff19-4ac6-b4c1-b7d814c865ec"/> <cybox:Observable idref="mandiant:observable-4f8cfd20-98c9-4ee7-a5d5-02e401584dc7"/> <cybox:Observable idref="mandiant:observable-5afa6c58-2164-42d0-9f1a-261d94f5fadd"/> <cybox:Observable idref="mandiant:observable-3e0db3ce-eb78-4bb8-90df-10a9951bba96"/> <cybox:Observable idref="mandiant:observable-eed26f95-dfad-49ed-95a8-8946da5e956b"/> <cybox:Observable idref="mandiant:observable-f93bd770-64d5-4d98-8c5e-51ceba961fe5"/> <cybox:Observable idref="mandiant:observable-df0abe73-e39c-4729-b6de-07eaf809a06e"/> <cybox:Observable idref="mandiant:observable-7917cbeb-d4e2-4400-aa6f-97354ce65c12"/> <cybox:Observable idref="mandiant:observable-a033aebf-5941-48c3-8246-aae43646a24b"/> <cybox:Observable idref="mandiant:observable-0cbbad3d-7e46-4131-a7cb-0015403d8ec8"/> <cybox:Observable idref="mandiant:observable-71f7afbc-5d7a-40fd-8814-5afb5ebe1fb9"/> <cybox:Observable idref="mandiant:observable-b76f0180-171b-4289-975d-0b297c611b01"/> <cybox:Observable idref="mandiant:observable-8b65e6cf-c8f9-41cd-86ff-63486bdd2fff"/> <cybox:Observable idref="mandiant:observable-77ee611b-ab46-4f0e-92cf-264f18642f06"/> <cybox:Observable idref="mandiant:observable-e3de49af-00d9-4b94-ac5f-98f75ab97e78"/> <cybox:Observable idref="mandiant:observable-fbec69a0-1f16-43f2-979f-0c1d8b0d4754"/> <cybox:Observable idref="mandiant:observable-f8a291a0-e468-4f0a-91c1-ec6ad5f09ae3"/> <cybox:Observable idref="mandiant:observable-dc175233-c223-4aa9-bb4a-894b3446ca06"/> <cybox:Observable idref="mandiant:observable-fad82e90-a9d0-4fcb-b01e-a5dddae5b4c2"/> <cybox:Observable idref="mandiant:observable-664459b1-7ccc-49a6-92a2-b092bdb9405c"/> <cybox:Observable idref="mandiant:observable-64667921-3dda-4be3-99ca-6aba304f39af"/> <cybox:Observable idref="mandiant:observable-15bb1783-edfb-430f-b63b-b8665a6f258d"/> <cybox:Observable idref="mandiant:observable-d90d60e4-87cf-48c7-bdfd-b77bba56c16c"/> <cybox:Observable idref="mandiant:observable-1f119b4a-52d3-4f96-8887-26f21242494f"/> <cybox:Observable idref="mandiant:observable-4134706e-76f2-4c67-b48a-af500ad938ad"/> <cybox:Observable idref="mandiant:observable-1a88042e-a9a4-4583-9232-d4b95e5c2b3d"/> <cybox:Observable idref="mandiant:observable-3b01a8db-9f22-41e7-ae85-52d54e798df8"/> <cybox:Observable idref="mandiant:observable-368d660c-f57d-424c-bf05-ef09ece30753"/> <cybox:Observable idref="mandiant:observable-ed5b1f55-5489-4287-adc0-f9b46eda97a6"/> <cybox:Observable idref="mandiant:observable-6945b6e7-0eef-4309-a0cf-4a92d542dffe"/> <cybox:Observable idref="mandiant:observable-d9ccf118-d55f-4783-9103-f76b6e4fcec4"/> <cybox:Observable idref="mandiant:observable-354ea984-7522-4960-a761-b309d326b200"/> <cybox:Observable id="mandiant:observable-49bc2c5b-a5c2-4a12-aaa6-b34a7d912505"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-8d3d984b-422c-4670-b5c4-5fb233973c3a"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-0eaf9915-dad4-4b8f-bf86-dc0bcec7a33a"/> <cybox:Observable idref="mandiant:observable-7c72475f-d056-4fe3-ab73-101611d9e050"/> <cybox:Observable idref="mandiant:observable-f753149f-e72e-4051-8be1-1d48ff7b0985"/> <cybox:Observable idref="mandiant:observable-2814c58c-f469-42d4-ab8f-5782b6e843ee"/> <cybox:Observable idref="mandiant:observable-4b2bbb39-4382-49f4-9fcb-40ad17fcd3d2"/> <cybox:Observable idref="mandiant:observable-317492f7-6198-4017-a686-f536529c7da2"/> <cybox:Observable idref="mandiant:observable-74afe37d-2e69-4269-a1a9-3cdb502e3a4e"/> <cybox:Observable idref="mandiant:observable-7c02e0a1-28db-4aba-8d8f-2a9d8fe1db0c"/> <cybox:Observable idref="mandiant:observable-83603ffd-0fe3-442f-80a9-189d05cc883f"/> <cybox:Observable idref="mandiant:observable-d268af83-9f7c-43a2-b67e-031bfc677e06"/> <cybox:Observable idref="mandiant:observable-990f92be-e5e8-4228-9f30-f008d16bf0f0"/> <cybox:Observable idref="mandiant:observable-80a87446-3744-4fc9-94c2-c0ff8927a146"/> <cybox:Observable idref="mandiant:observable-b1e96379-f0ad-4eed-bbf0-4e411ea27185"/> <cybox:Observable idref="mandiant:observable-af0d3664-4b72-4db6-91e9-ceccb5fe5f76"/> <cybox:Observable idref="mandiant:observable-ad4a59b2-f8b5-459c-85aa-71f4367fc442"/> <cybox:Observable idref="mandiant:observable-c618866f-3719-4d77-9b7e-eee12e3caa8e"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-d4397fe1-0c37-4828-82bd-f872d6c0a7be"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-5d0aebb9-3281-4b02-a25d-d997c3bb3aae"/> <cybox:Observable idref="mandiant:observable-a018b42e-25cc-4604-bb73-b2e9419ecf8c"/> <cybox:Observable idref="mandiant:observable-32d2da10-ca33-4a29-9a24-6c4158d94605"/> <cybox:Observable idref="mandiant:observable-71d80966-1323-4030-b34b-13d82973bb0f"/> <cybox:Observable idref="mandiant:observable-428c2847-6378-45db-88bc-005927e9ab57"/> <cybox:Observable idref="mandiant:observable-07144b84-b05c-4608-a484-cf2886e88181"/> <cybox:Observable idref="mandiant:observable-58e4af5c-9583-4fee-994a-5dc18cb1aec5"/> <cybox:Observable idref="mandiant:observable-839b8651-a985-4816-b8bb-ad30d57400af"/> <cybox:Observable idref="mandiant:observable-34015cfb-ae38-4697-be62-bc016557ee06"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-d9b1d1ee-51de-4dbd-861c-787c9524d97b"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-b4555884-e09f-49d0-b6fc-f63c16711a03"/> <cybox:Observable idref="mandiant:observable-76ad1132-f79d-408f-8390-939ed7982c66"/> <cybox:Observable idref="mandiant:observable-d02a4d17-ec99-4300-9d2d-c9aa333b1d3b"/> <cybox:Observable idref="mandiant:observable-098ede67-d96a-406f-923f-c6977813832c"/> <cybox:Observable idref="mandiant:observable-37d0769a-5dcf-4609-8afb-90595f39d77b"/> <cybox:Observable idref="mandiant:observable-c5f80571-4e93-4053-9ac8-a25776622693"/> <cybox:Observable idref="mandiant:observable-df4d6419-524c-4b89-8218-0b7c495b4305"/> <cybox:Observable idref="mandiant:observable-73837ae9-5393-437d-947a-a4d4a17bf964"/> <cybox:Observable idref="mandiant:observable-151873b9-8598-442d-b96c-799dfb497cad"/> <cybox:Observable idref="mandiant:observable-f85062a7-3934-4d0c-86b6-bd5032fc11dc"/> <cybox:Observable idref="mandiant:observable-1868f15b-146f-4c7f-858a-53dbcc900133"/> <cybox:Observable idref="mandiant:observable-d1b9483a-c326-4949-8044-c7c39c4b6cfe"/> <cybox:Observable idref="mandiant:observable-857dc5fe-24f5-4b0d-9c38-69e28ea5fef9"/> <cybox:Observable idref="mandiant:observable-b41f646e-1781-43ed-9ff6-54e72acf50d5"/> <cybox:Observable idref="mandiant:observable-88e7ee9c-16ab-4fbe-ae99-357017dae33a"/> <cybox:Observable idref="mandiant:observable-d5920dff-f203-4c72-9031-748b433e909a"/> <cybox:Observable idref="mandiant:observable-b2aa045b-1b4e-4d8f-9d85-6b79e37fdd92"/> <cybox:Observable idref="mandiant:observable-2240b2b1-60d1-433c-8553-2ba4fbd5234a"/> <cybox:Observable idref="mandiant:observable-328f45ed-58bd-4475-872f-59223c705fe9"/> <cybox:Observable idref="mandiant:observable-56ba3bad-7aa7-4f3b-96c9-c4e59a64d1d2"/> <cybox:Observable idref="mandiant:observable-67ca1d0e-4554-4b30-938d-01bde2e478a0"/> <cybox:Observable idref="mandiant:observable-903f9f1b-4f53-4677-a457-0fa90cde0cfa"/> <cybox:Observable idref="mandiant:observable-ff68ae15-306d-4e5d-a7fc-880f42b2382f"/> <cybox:Observable idref="mandiant:observable-977f8b7c-7770-4e13-94b4-34b1e5543989"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-1de4c51e-b034-4c0b-9a37-23013db94937"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-dab1b4a0-46f5-4170-9d03-202dc2f4d5ad"/> <cybox:Observable idref="mandiant:observable-fa65191b-3f33-4f9d-b338-abeec6467f30"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-2b86d2fd-76c4-4fab-a21e-0af91b5298d2"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-50d28e11-daca-401f-b06c-cf97e79ac644"/> <cybox:Observable id="mandiant:observable-4f962e15-2812-477d-b6af-8632ac994137"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-c67ffe5f-bb76-4e0e-b597-a6f135c62e44"/> <cybox:Observable idref="mandiant:observable-99590a09-5285-46fd-834c-f7849726fe7e"/> <cybox:Observable idref="mandiant:observable-da1079ca-df4a-441b-948e-1a573f676689"/> <cybox:Observable idref="mandiant:observable-087e6bd3-a429-4779-b688-4e32e6d74a48"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="8695bb5e-29cd-41b9-b8b1-a0d20a6b960d" last-modified="2013-02-10T13:00:00"> <short_description>NEWSREELS (FAMILY)</short_description> <description>The NEWSREELS malware family is an HTTP based backdoor. When first started, NEWSREELS decodes two strings from its resources section. These strings are both used as C2 channels, one URL is used as a beacon URL (transmitting) and the second URL is used to get commands (receiving). The NEWSREELS malware family is capable of performing file uploads, downloads, creating processes or creating an interactive reverse shell.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">NEWSREELS</link> </links> <definition> <Indicator operator="OR" id="9d11a416-43ba-42f4-bdfc-f142f04fec7a"> <IndicatorItem id="f3911ad0-8cb2-4edf-beab-95be9455af49" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4ab62c8e525bee410cd4b6cfeea7d221</Content> </IndicatorItem> <IndicatorItem id="4a41070b-8762-4792-82b1-9b4f8db0f06a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c4f144febf16ff8f36df15353d5347ce</Content> </IndicatorItem> <IndicatorItem id="2ea1ff18-ac07-4243-87b2-7c82ef783c8d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2c9c691e15a48b20dbead0a6d6bf0300</Content> </IndicatorItem> <IndicatorItem id="93d11fa9-9587-4590-b1e8-aebfb5070176" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b8277cce81e0a372bc35d33a0c9483c2</Content> </IndicatorItem> <IndicatorItem id="f968c97e-7999-458d-afc2-4e928e39984d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fbde5068f85ce0aac2e9ff387b5f8c06</Content> </IndicatorItem> <IndicatorItem id="185da798-290c-435c-8994-43a7645a575b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a2cd1189860b9ba214421aab86ecbc8a</Content> </IndicatorItem> <IndicatorItem id="5fe0deb5-bbab-4b83-80da-7a63d92a2e25" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a7f17c75519fb8a39d37c47617202b05</Content> </IndicatorItem> <IndicatorItem id="51655287-cc79-4448-b203-6b61fcaefa13" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">af2f7b070245c90bd2a0a0845314173a</Content> </IndicatorItem> <IndicatorItem id="1f71c3a6-dde2-439d-932a-855e91b438a0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d8315c114107b7418c32f85e263766b7</Content> </IndicatorItem> <IndicatorItem id="70ddfe18-a63c-4235-83e1-6b7c9a5d3e38" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">33e9ccd45ef133b2c100d5a4f50635d5</Content> </IndicatorItem> <IndicatorItem id="d26c88a1-3b1e-4f19-a9f4-ad16b50dca0e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">438401c9ae36e9ed1bf4f410ae116484</Content> </IndicatorItem> <IndicatorItem id="d9fef6a6-d8ad-4bad-acfa-7bc1f49c5d73" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f65eee78ac150924cd37c7f1f3c96518</Content> </IndicatorItem> <IndicatorItem id="012ba2a6-2b89-4de3-bcb6-7b7c34e7bbee" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">71536d2e95420c55412c12dffea1a0a6</Content> </IndicatorItem> <IndicatorItem id="73eb05bb-beb0-4586-af65-56e3e3e41581" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d271ae0f4e9230af3b61eafe7f671fde</Content> </IndicatorItem> <IndicatorItem id="bdf5bfa6-bd90-4bbb-876e-4a48308c5ca5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b43266a047b2895399f4883cfe37c089</Content> </IndicatorItem> <IndicatorItem id="c59164e3-4b60-45bc-bf6f-7f80313389ab" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">270d42f292105951ee81e4085ea45054</Content> </IndicatorItem> <IndicatorItem id="62fc2294-a87f-41d3-94d6-bebc5a2e8c40" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">87efe3671ef8f1eca57f2d8f7e4711d9</Content> </IndicatorItem> <IndicatorItem id="3e02f3e0-d53f-4317-b860-a81caf177ffa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d4c7f1f80883412f9796f1270accff50</Content> </IndicatorItem> <IndicatorItem id="0fb0253e-2883-4895-b750-25fbbedcf275" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">523f56515221161579ee6090c962e5b1</Content> </IndicatorItem> <IndicatorItem id="1dfcc05d-4ced-4f92-b7ee-9c61c247d73c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f07ac0b4301fccbae233a44e07a2a634</Content> </IndicatorItem> <IndicatorItem id="35bdb3f9-ff19-4ac6-b4c1-b7d814c865ec" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">effa99ea879e5be518f242d5820be070</Content> </IndicatorItem> <IndicatorItem id="4f8cfd20-98c9-4ee7-a5d5-02e401584dc7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f172ff6b65140f342e6ee51966ea3c4c</Content> </IndicatorItem> <IndicatorItem id="5afa6c58-2164-42d0-9f1a-261d94f5fadd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a639f598d4c0b9aa7a4691d05f27d977</Content> </IndicatorItem> <IndicatorItem id="3e0db3ce-eb78-4bb8-90df-10a9951bba96" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0496e3b17cf40c45f495188a368c203a</Content> </IndicatorItem> <IndicatorItem id="eed26f95-dfad-49ed-95a8-8946da5e956b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">215df0c319b98dad4f202849b097f8b2</Content> </IndicatorItem> <IndicatorItem id="f93bd770-64d5-4d98-8c5e-51ceba961fe5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">02c65973b6018f5d473d701b3e7508b2</Content> </IndicatorItem> <IndicatorItem id="df0abe73-e39c-4729-b6de-07eaf809a06e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">10a68e08c514d3b69296b0eb557d822c</Content> </IndicatorItem> <IndicatorItem id="7917cbeb-d4e2-4400-aa6f-97354ce65c12" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">933b11bc4799f8d9f65466fb2e3ea659</Content> </IndicatorItem> <IndicatorItem id="a033aebf-5941-48c3-8246-aae43646a24b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ef6c375e3e6930e2b50e1e97fe6fbcc9</Content> </IndicatorItem> <IndicatorItem id="0cbbad3d-7e46-4131-a7cb-0015403d8ec8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3f33c0dab564c35485fd227d97b98443</Content> </IndicatorItem> <IndicatorItem id="71f7afbc-5d7a-40fd-8814-5afb5ebe1fb9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">815a89041dea3e56348f8f5c8b7d1457</Content> </IndicatorItem> <IndicatorItem id="b76f0180-171b-4289-975d-0b297c611b01" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fe5ba680a96757ff232d4bad9c0db2b8</Content> </IndicatorItem> <IndicatorItem id="8b65e6cf-c8f9-41cd-86ff-63486bdd2fff" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b5a430a0696b5b25ae6b4fa5cbfe3333</Content> </IndicatorItem> <IndicatorItem id="77ee611b-ab46-4f0e-92cf-264f18642f06" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1fad25d4fef631f8ec3115e0944e4621</Content> </IndicatorItem> <IndicatorItem id="e3de49af-00d9-4b94-ac5f-98f75ab97e78" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">99a29ccea951a950040f3944abafed40</Content> </IndicatorItem> <IndicatorItem id="fbec69a0-1f16-43f2-979f-0c1d8b0d4754" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">baabd9b76bff84ed27fd432cfc6df241</Content> </IndicatorItem> <IndicatorItem id="f8a291a0-e468-4f0a-91c1-ec6ad5f09ae3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c6a29993234488fcbdcf45668eac9c47</Content> </IndicatorItem> <IndicatorItem id="dc175233-c223-4aa9-bb4a-894b3446ca06" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a4ad7335aa391519cc5fc9140f2562f2</Content> </IndicatorItem> <IndicatorItem id="fad82e90-a9d0-4fcb-b01e-a5dddae5b4c2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3d328395d0cefc67e2909774125196b1</Content> </IndicatorItem> <IndicatorItem id="664459b1-7ccc-49a6-92a2-b092bdb9405c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2c49f47c98203b110799ab622265f4ef</Content> </IndicatorItem> <IndicatorItem id="64667921-3dda-4be3-99ca-6aba304f39af" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir"/> <Content type="string">JpgAsp</Content> </IndicatorItem> <IndicatorItem id="15bb1783-edfb-430f-b63b-b8665a6f258d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir"/> <Content type="string">JpgCommand</Content> </IndicatorItem> <IndicatorItem id="d90d60e4-87cf-48c7-bdfd-b77bba56c16c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">JpgCommand.EXE</Content> </IndicatorItem> <IndicatorItem id="1f119b4a-52d3-4f96-8887-26f21242494f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">JpgAsp.exe</Content> </IndicatorItem> <IndicatorItem id="4134706e-76f2-4c67-b48a-af500ad938ad" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName" type="mir"/> <Content type="string">JpgCommand</Content> </IndicatorItem> <IndicatorItem id="1a88042e-a9a4-4583-9232-d4b95e5c2b3d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName" type="mir"/> <Content type="string"> JpgAsp</Content> <Comment>Whitespace is intentional</Comment> </IndicatorItem> <IndicatorItem id="3b01a8db-9f22-41e7-ae85-52d54e798df8" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir"/> <Content type="string">JpgCommand</Content> </IndicatorItem> <IndicatorItem id="368d660c-f57d-424c-bf05-ef09ece30753" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir"/> <Content type="string">JpgAsp</Content> </IndicatorItem> <IndicatorItem id="2e94f270-70aa-4609-b97c-49763f3f8eee" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">jpghttp://</Content> </IndicatorItem> <IndicatorItem id="ed5b1f55-5489-4287-adc0-f9b46eda97a6" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">NETF0.EXE</Content> </IndicatorItem> <IndicatorItem id="6945b6e7-0eef-4309-a0cf-4a92d542dffe" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">net5034.exe</Content> </IndicatorItem> <IndicatorItem id="d9ccf118-d55f-4783-9103-f76b6e4fcec4" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">net5024.exe</Content> </IndicatorItem> <IndicatorItem id="354ea984-7522-4960-a761-b309d326b200" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">JpgCommand.exe</Content> </IndicatorItem> <Indicator operator="AND" id="49bc2c5b-a5c2-4a12-aaa6-b34a7d912505"> <Indicator operator="OR" id="8d3d984b-422c-4670-b5c4-5fb233973c3a"> <IndicatorItem id="0eaf9915-dad4-4b8f-bf86-dc0bcec7a33a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Post.exe</Content> </IndicatorItem> <IndicatorItem id="7c72475f-d056-4fe3-ab73-101611d9e050" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update.bin</Content> </IndicatorItem> <IndicatorItem id="f753149f-e72e-4051-8be1-1d48ff7b0985" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">smartnav.exe</Content> </IndicatorItem> <IndicatorItem id="2814c58c-f469-42d4-ab8f-5782b6e843ee" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">WinInstall.exe</Content> </IndicatorItem> <IndicatorItem id="4b2bbb39-4382-49f4-9fcb-40ad17fcd3d2" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">index2.bin</Content> </IndicatorItem> <IndicatorItem id="317492f7-6198-4017-a686-f536529c7da2" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">setup.exe</Content> </IndicatorItem> <IndicatorItem id="74afe37d-2e69-4269-a1a9-3cdb502e3a4e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">updater.jpg</Content> </IndicatorItem> <IndicatorItem id="7c02e0a1-28db-4aba-8d8f-2a9d8fe1db0c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update.exe</Content> </IndicatorItem> <IndicatorItem id="83603ffd-0fe3-442f-80a9-189d05cc883f" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">shift_proxy.exe</Content> </IndicatorItem> <IndicatorItem id="d268af83-9f7c-43a2-b67e-031bfc677e06" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Post.exe</Content> </IndicatorItem> <IndicatorItem id="990f92be-e5e8-4228-9f30-f008d16bf0f0" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Get.exe</Content> </IndicatorItem> <IndicatorItem id="80a87446-3744-4fc9-94c2-c0ff8927a146" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">NOD32.exe</Content> </IndicatorItem> <IndicatorItem id="b1e96379-f0ad-4eed-bbf0-4e411ea27185" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">shift.exe</Content> </IndicatorItem> <IndicatorItem id="af0d3664-4b72-4db6-91e9-ceccb5fe5f76" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">oversized_section</Content> <Comment>PE Header Anomaly identified in 15% samples.</Comment> </IndicatorItem> <IndicatorItem id="ad4a59b2-f8b5-459c-85aa-71f4367fc442" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 90% samples.</Comment> </IndicatorItem> <IndicatorItem id="c618866f-3719-4d77-9b7e-eee12e3caa8e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 5% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="d4397fe1-0c37-4828-82bd-f872d6c0a7be"> <IndicatorItem id="5d0aebb9-3281-4b02-a25d-d997c3bb3aae" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">12800</Content> </IndicatorItem> <IndicatorItem id="a018b42e-25cc-4604-bb73-b2e9419ecf8c" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">12801</Content> </IndicatorItem> <IndicatorItem id="32d2da10-ca33-4a29-9a24-6c4158d94605" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">13068</Content> </IndicatorItem> <IndicatorItem id="71d80966-1323-4030-b34b-13d82973bb0f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">13312 TO 14336</Content> </IndicatorItem> <IndicatorItem id="428c2847-6378-45db-88bc-005927e9ab57" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">21177 TO 21198</Content> </IndicatorItem> <IndicatorItem id="07144b84-b05c-4608-a484-cf2886e88181" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">21504</Content> </IndicatorItem> <IndicatorItem id="58e4af5c-9583-4fee-994a-5dc18cb1aec5" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">27648</Content> </IndicatorItem> <IndicatorItem id="839b8651-a985-4816-b8bb-ad30d57400af" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">28672</Content> </IndicatorItem> <IndicatorItem id="34015cfb-ae38-4697-be62-bc016557ee06" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">94208</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="d9b1d1ee-51de-4dbd-861c-787c9524d97b"> <IndicatorItem id="b4555884-e09f-49d0-b6fc-f63c16711a03" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-04-12T09:14:38Z</Content> </IndicatorItem> <IndicatorItem id="76ad1132-f79d-408f-8390-939ed7982c66" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-25T03:44:04Z</Content> </IndicatorItem> <IndicatorItem id="d02a4d17-ec99-4300-9d2d-c9aa333b1d3b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-12-21T01:39:02Z</Content> </IndicatorItem> <IndicatorItem id="098ede67-d96a-406f-923f-c6977813832c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-08-23T02:17:20Z</Content> </IndicatorItem> <IndicatorItem id="37d0769a-5dcf-4609-8afb-90595f39d77b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-10-27T08:43:39Z</Content> </IndicatorItem> <IndicatorItem id="c5f80571-4e93-4053-9ac8-a25776622693" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-14T12:37:41Z</Content> </IndicatorItem> <IndicatorItem id="df4d6419-524c-4b89-8218-0b7c495b4305" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-20T12:49:04Z</Content> </IndicatorItem> <IndicatorItem id="73837ae9-5393-437d-947a-a4d4a17bf964" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-01T06:48:36Z</Content> </IndicatorItem> <IndicatorItem id="151873b9-8598-442d-b96c-799dfb497cad" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-05T07:10:09Z TO 2011-08-05T07:14:55Z</Content> </IndicatorItem> <IndicatorItem id="f85062a7-3934-4d0c-86b6-bd5032fc11dc" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-06T08:22:03Z</Content> </IndicatorItem> <IndicatorItem id="1868f15b-146f-4c7f-858a-53dbcc900133" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-09T09:22:09Z</Content> </IndicatorItem> <IndicatorItem id="d1b9483a-c326-4949-8044-c7c39c4b6cfe" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-10T01:28:55Z</Content> </IndicatorItem> <IndicatorItem id="857dc5fe-24f5-4b0d-9c38-69e28ea5fef9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-18T00:58:17Z</Content> </IndicatorItem> <IndicatorItem id="b41f646e-1781-43ed-9ff6-54e72acf50d5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-21T12:36:14Z TO 2011-11-21T12:36:14Z</Content> </IndicatorItem> <IndicatorItem id="88e7ee9c-16ab-4fbe-ae99-357017dae33a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-02-08T14:53:36Z</Content> </IndicatorItem> <IndicatorItem id="d5920dff-f203-4c72-9031-748b433e909a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-02-16T14:13:15Z</Content> </IndicatorItem> <IndicatorItem id="b2aa045b-1b4e-4d8f-9d85-6b79e37fdd92" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-02-20T14:27:02Z</Content> </IndicatorItem> <IndicatorItem id="2240b2b1-60d1-433c-8553-2ba4fbd5234a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-02-22T12:41:37Z</Content> </IndicatorItem> <IndicatorItem id="328f45ed-58bd-4475-872f-59223c705fe9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-02T06:26:31Z TO 2012-03-02T08:45:11Z</Content> </IndicatorItem> <IndicatorItem id="56ba3bad-7aa7-4f3b-96c9-c4e59a64d1d2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-13T02:21:54Z</Content> </IndicatorItem> <IndicatorItem id="67ca1d0e-4554-4b30-938d-01bde2e478a0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-04-11T15:43:07Z</Content> </IndicatorItem> <IndicatorItem id="903f9f1b-4f53-4677-a457-0fa90cde0cfa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-04-17T08:27:25Z TO 2012-04-17T09:32:54Z</Content> </IndicatorItem> <IndicatorItem id="ff68ae15-306d-4e5d-a7fc-880f42b2382f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-04-24T08:24:45Z</Content> </IndicatorItem> <IndicatorItem id="977f8b7c-7770-4e13-94b4-34b1e5543989" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-29T07:38:21Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="1de4c51e-b034-4c0b-9a37-23013db94937"> <IndicatorItem id="dab1b4a0-46f5-4170-9d03-202dc2f4d5ad" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/Language" type="mir"/> <Content type="string">Chinese (Simplified, PRC)</Content> </IndicatorItem> <IndicatorItem id="fa65191b-3f33-4f9d-b338-abeec6467f30" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright" type="mir"/> <Content type="string">Copyright ? 2012</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="9a7c6531-9ffc-4a90-93f2-e13b33a89abf"> <IndicatorItem id="fab92fbe-7e6e-4420-a70c-8bca347c4cc0" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">cmd.exe /c</Content> </IndicatorItem> <IndicatorItem id="0f973922-ff90-4c4d-b357-590c8fd231fd" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">thequickbrownfxjmpsvalzydg</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="2b86d2fd-76c4-4fab-a21e-0af91b5298d2"> <IndicatorItem id="50d28e11-daca-401f-b06c-cf97e79ac644" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\temp\</Content> </IndicatorItem> <Indicator operator="OR" id="4f962e15-2812-477d-b6af-8632ac994137"> <IndicatorItem id="c67ffe5f-bb76-4e0e-b597-a6f135c62e44" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">temp.tmp</Content> </IndicatorItem> <IndicatorItem id="99590a09-5285-46fd-834c-f7849726fe7e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">photo.jpg</Content> </IndicatorItem> <IndicatorItem id="da1079ca-df4a-441b-948e-1a573f676689" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">display.asp</Content> </IndicatorItem> <IndicatorItem id="087e6bd3-a429-4779-b688-4e32e6d74a48" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">backsangho.jpg</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-2c6d4480-4276-416a-ba13-26c7598fe55c"> <indicator:Title>TABMSGSQL (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> This malware family is a full-featured backdoor capable of file uploading and downloading, arbitrary execution of programs, and providing a remote interactive command shell. All communications with the C2 server are sent over HTTP to a static URL, appending various URL parameters to the request. Some variants use a slightly different URL. The C2 server appears to act as just a database, allowing the clients to craft and execute SQL statements of their choosing. The malware also implements a special mode that provides full administrative access to the C2 server. This includes displaying the status of clients who have checked in with the C2 server, queuing commands to any client, and uploading or downloading files to the C2 server. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-0bd6f414-d5af-4a85-bf84-377abb903c21"/> <cybox:Observable idref="mandiant:observable-e7257d4c-a18c-4e83-be75-b40a7b739d19"/> <cybox:Observable idref="mandiant:observable-5e7f8377-891e-4d53-aa40-9d662477d567"/> <cybox:Observable idref="mandiant:observable-df2cea97-90d2-426f-930b-b783f49ee095"/> <cybox:Observable idref="mandiant:observable-b73ed629-7f0a-4ed2-8ade-38f2c4061dd4"/> <cybox:Observable idref="mandiant:observable-6de65dff-bc02-406e-8776-e70e287dd597"/> <cybox:Observable idref="mandiant:observable-7a2f2582-73a8-4a06-b52b-c589bedda1ad"/> <cybox:Observable idref="mandiant:observable-f384c66b-37ac-4acf-8d72-55b04dd6a9c0"/> <cybox:Observable idref="mandiant:observable-7fd10ee3-26ec-414e-b4b4-878f91436912"/> <cybox:Observable idref="mandiant:observable-b2e13e8b-952f-4a59-be04-dfdf5eca3f8c"/> <cybox:Observable idref="mandiant:observable-b9f05433-78c0-4082-ab10-3a78b7ab2a5d"/> <cybox:Observable idref="mandiant:observable-976eb5ba-0810-4afd-a3c1-2a04d8e9c2c4"/> <cybox:Observable idref="mandiant:observable-ca570199-0523-4f49-bfb4-a7be03752326"/> <cybox:Observable idref="mandiant:observable-6a9a8058-7045-4722-9d07-c778f29691c2"/> <cybox:Observable idref="mandiant:observable-82c4f0c2-0ab2-456a-852b-48a768aa9dee"/> <cybox:Observable idref="mandiant:observable-d108d2a2-e41f-42ac-aa6e-42b23cc74e93"/> <cybox:Observable idref="mandiant:observable-22b11880-c237-480f-ae52-917a7ed55566"/> <cybox:Observable idref="mandiant:observable-d171f8b5-21c0-4c5c-a3bc-cbe127692c0d"/> <cybox:Observable idref="mandiant:observable-9ab45d6b-565e-4b64-b93f-b23e687937ae"/> <cybox:Observable idref="mandiant:observable-ea867aab-ee81-42aa-a6f2-2b7515972a4b"/> <cybox:Observable idref="mandiant:observable-4e840329-9123-4119-9ce0-1fca6fa7c3c4"/> <cybox:Observable idref="mandiant:observable-5dbc4c91-60d8-42d8-b1e7-b107c6fd80a4"/> <cybox:Observable idref="mandiant:observable-66cd7040-0c0d-4d63-8b74-b6f9b948e1ee"/> <cybox:Observable idref="mandiant:observable-17bae05f-e5e9-47f2-b1f9-9d6cce455b19"/> <cybox:Observable id="mandiant:observable-38a72bf1-1cc5-4d4a-bb9e-a1fc19c2fad7"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-e005cff2-a061-415e-914b-2f49e3064aee"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-6fc8e033-46f5-4457-b09c-72ef013d8d01"/> <cybox:Observable idref="mandiant:observable-330d109e-d67d-400c-8782-d419d8c8fdea"/> <cybox:Observable idref="mandiant:observable-cdc14485-a104-416a-a6e9-b5a0053b4e14"/> <cybox:Observable idref="mandiant:observable-432017a3-cf8e-46c7-9c2b-9abd9347aaa4"/> <cybox:Observable idref="mandiant:observable-5c4f91ef-b91f-4214-b8e3-d0093dc1d713"/> <cybox:Observable idref="mandiant:observable-47462879-ba51-4c06-b184-ac6f24fde5a7"/> <cybox:Observable idref="mandiant:observable-f780ed3e-99a5-42a6-b87e-34239a9e9f98"/> <cybox:Observable idref="mandiant:observable-085bdd85-79a6-442b-982e-728cec1f0edb"/> <cybox:Observable idref="mandiant:observable-9788ddbd-d0f6-4775-b4dd-2b0824f23aef"/> <cybox:Observable idref="mandiant:observable-d6d47b03-1b98-4da1-8947-ec1b39571d67"/> <cybox:Observable idref="mandiant:observable-cad6845d-48ab-4dba-80c1-11a4d24287fc"/> <cybox:Observable idref="mandiant:observable-9cf44dd1-bc08-4ce1-9c3f-5cf36d2e9554"/> <cybox:Observable idref="mandiant:observable-ee53f8a8-b073-4a23-ac53-5a2bcc248c2b"/> <cybox:Observable idref="mandiant:observable-13944004-8d57-46a8-9095-7f3627028bb2"/> <cybox:Observable idref="mandiant:observable-b79b4e26-9906-47b1-97e8-7851dd4ca153"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-3bd7e49a-e2a7-4f4f-8d6f-781e20b3e861"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-04f95431-b14d-43c2-a469-76ec2dfca5d2"/> <cybox:Observable idref="mandiant:observable-5ce072f5-455d-4457-9a55-e43f796b05c8"/> <cybox:Observable idref="mandiant:observable-4c60995e-0101-422c-aa6a-442bd4c72274"/> <cybox:Observable idref="mandiant:observable-f23cad9e-d703-48cd-bdf4-6c4c51587d1b"/> <cybox:Observable idref="mandiant:observable-efd2b400-30a3-44e4-b9c6-e998bf1bd7d1"/> <cybox:Observable idref="mandiant:observable-8791f0d6-eb97-4dbc-bd90-bacff1692af4"/> <cybox:Observable idref="mandiant:observable-58428dae-3ddf-45b1-b9d6-191fbf15386e"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-f784009f-474c-481c-b916-6a5eb5171217"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-77056ecd-8481-41ba-8a52-f6ebbb2f4672"/> <cybox:Observable idref="mandiant:observable-18fa2007-837a-4d7f-a497-4726d84e5e63"/> <cybox:Observable idref="mandiant:observable-e95325be-a318-46f2-a3f3-3666164bd40d"/> <cybox:Observable idref="mandiant:observable-d3ae8857-2edd-4c7b-b030-97e02aff3d93"/> <cybox:Observable idref="mandiant:observable-fc57d943-b0a7-414e-aff4-06c3dc1dca8a"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-01ef6ff8-8050-44d6-bd54-f35e523315ab"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-9a29dd0d-ad67-42eb-9e3f-d2e7e485099f"/> <cybox:Observable idref="mandiant:observable-a91296f4-e0e0-454d-8fae-a8a55a77e457"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="86e9b8ec-7413-453b-a932-b5fb95a8dba6" last-modified="2013-02-10T13:00:00"> <short_description>TABMSGSQL (FAMILY)</short_description> <description>This malware family is a full-featured backdoor capable of file uploading and downloading, arbitrary execution of programs, and providing a remote interactive command shell. All communications with the C2 server are sent over HTTP to a static URL, appending various URL parameters to the request. Some variants use a slightly different URL. The C2 server appears to act as just a database, allowing the clients to craft and execute SQL statements of their choosing. The malware also implements a special mode that provides full administrative access to the C2 server. This includes displaying the status of clients who have checked in with the C2 server, queuing commands to any client, and uploading or downloading files to the C2 server.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">TABMSGSQL</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="2c6d4480-4276-416a-ba13-26c7598fe55c"> <IndicatorItem id="0bd6f414-d5af-4a85-bf84-377abb903c21" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1c7538951b21d93ef7ecf3fa94ae5c5e</Content> </IndicatorItem> <IndicatorItem id="e7257d4c-a18c-4e83-be75-b40a7b739d19" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">052ec04866e4a67f31845d656531830d</Content> </IndicatorItem> <IndicatorItem id="5e7f8377-891e-4d53-aa40-9d662477d567" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">016da6ee744b16656a2ba3107c7a4a29</Content> </IndicatorItem> <IndicatorItem id="df2cea97-90d2-426f-930b-b783f49ee095" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b47e5d095be9fd61016817359f6c2887</Content> </IndicatorItem> <IndicatorItem id="b73ed629-7f0a-4ed2-8ade-38f2c4061dd4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2af105519133baaee57c9ade00543de2</Content> </IndicatorItem> <IndicatorItem id="6de65dff-bc02-406e-8776-e70e287dd597" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">83b3711c32d28a87b173e7e5aba5f826</Content> </IndicatorItem> <IndicatorItem id="7a2f2582-73a8-4a06-b52b-c589bedda1ad" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e6ff0431a9a9028808efc582405ea7df</Content> </IndicatorItem> <IndicatorItem id="f384c66b-37ac-4acf-8d72-55b04dd6a9c0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">79841c13f645118a600d19def3642d1a</Content> </IndicatorItem> <IndicatorItem id="7fd10ee3-26ec-414e-b4b4-878f91436912" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bee9b7835a02973678e9ead683da1ac4</Content> </IndicatorItem> <IndicatorItem id="b2e13e8b-952f-4a59-be04-dfdf5eca3f8c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3cda17269c246a2e3bfcda6fa02fceb8</Content> </IndicatorItem> <IndicatorItem id="b9f05433-78c0-4082-ab10-3a78b7ab2a5d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">16e53c619803d0068611bb6d448d1d49</Content> </IndicatorItem> <IndicatorItem id="976eb5ba-0810-4afd-a3c1-2a04d8e9c2c4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2156942db0293565c9420c1e254a2c32</Content> </IndicatorItem> <IndicatorItem id="ca570199-0523-4f49-bfb4-a7be03752326" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">001dd76872d80801692ff942308c64e6</Content> </IndicatorItem> <IndicatorItem id="6a9a8058-7045-4722-9d07-c778f29691c2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f02abd537e481109142b6170933d1b3d</Content> </IndicatorItem> <IndicatorItem id="82c4f0c2-0ab2-456a-852b-48a768aa9dee" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">002325a0a67fded0381b5648d7fe9b8e</Content> </IndicatorItem> <IndicatorItem id="d108d2a2-e41f-42ac-aa6e-42b23cc74e93" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7f398b00546c3a0946cd6142c308a556</Content> </IndicatorItem> <IndicatorItem id="22b11880-c237-480f-ae52-917a7ed55566" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ef0a6c79f99a537f932a5e64999972b3</Content> </IndicatorItem> <IndicatorItem id="d171f8b5-21c0-4c5c-a3bc-cbe127692c0d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">86b68ad2e9c33eadf134285ea142ccc2</Content> </IndicatorItem> <IndicatorItem id="9ab45d6b-565e-4b64-b93f-b23e687937ae" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2f930d92dc5ebc9d53ad2a2b451ebf65</Content> </IndicatorItem> <IndicatorItem id="ea867aab-ee81-42aa-a6f2-2b7515972a4b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">68d2fd5049e70942d164e4e25d13dd8e</Content> </IndicatorItem> <IndicatorItem id="4e840329-9123-4119-9ce0-1fca6fa7c3c4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8a86df3d382bfd1e4c4165f4cacfdff8</Content> </IndicatorItem> <IndicatorItem id="5dbc4c91-60d8-42d8-b1e7-b107c6fd80a4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">99a7e4a01b813b9b26ba76bf0b484742</Content> </IndicatorItem> <IndicatorItem id="66cd7040-0c0d-4d63-8b74-b6f9b948e1ee" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">55886d571c2a57984ea9659b57e1c63a</Content> </IndicatorItem> <IndicatorItem id="17bae05f-e5e9-47f2-b1f9-9d6cce455b19" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e87051b1dc3463f378c7e1fe398dc7d</Content> </IndicatorItem> <IndicatorItem id="efb7dbc2-46a7-4fb0-8bd2-cfdcc99daf6c" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">letusgohtppmmv2.0.0.1</Content> <Comment>string artifact of mutant created by some versions of the malware</Comment> </IndicatorItem> <Indicator operator="AND" id="38a72bf1-1cc5-4d4a-bb9e-a1fc19c2fad7"> <Indicator operator="OR" id="e005cff2-a061-415e-914b-2f49e3064aee"> <IndicatorItem id="6fc8e033-46f5-4457-b09c-72ef013d8d01" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">reader_sl.exe</Content> </IndicatorItem> <IndicatorItem id="330d109e-d67d-400c-8782-d419d8c8fdea" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">httpmm.exe</Content> </IndicatorItem> <IndicatorItem id="cdc14485-a104-416a-a6e9-b5a0053b4e14" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">adobearm.exe</Content> </IndicatorItem> <IndicatorItem id="432017a3-cf8e-46c7-9c2b-9abd9347aaa4" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">http1+.exe</Content> </IndicatorItem> <IndicatorItem id="5c4f91ef-b91f-4214-b8e3-d0093dc1d713" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">http2+.exe</Content> </IndicatorItem> <IndicatorItem id="47462879-ba51-4c06-b184-ac6f24fde5a7" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">http3+.exe</Content> </IndicatorItem> <IndicatorItem id="f780ed3e-99a5-42a6-b87e-34239a9e9f98" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">http4+.exe</Content> </IndicatorItem> <IndicatorItem id="085bdd85-79a6-442b-982e-728cec1f0edb" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">http5+.exe</Content> </IndicatorItem> <IndicatorItem id="9788ddbd-d0f6-4775-b4dd-2b0824f23aef" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">http6+.exe</Content> </IndicatorItem> <IndicatorItem id="d6d47b03-1b98-4da1-8947-ec1b39571d67" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">inetinfo.exe</Content> </IndicatorItem> <IndicatorItem id="cad6845d-48ab-4dba-80c1-11a4d24287fc" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">setup.exe</Content> </IndicatorItem> <IndicatorItem id="9cf44dd1-bc08-4ce1-9c3f-5cf36d2e9554" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">setupaa.exe</Content> </IndicatorItem> <IndicatorItem id="ee53f8a8-b073-4a23-ac53-5a2bcc248c2b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">http1.exe</Content> </IndicatorItem> <IndicatorItem id="13944004-8d57-46a8-9095-7f3627028bb2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 4% samples.</Comment> </IndicatorItem> <IndicatorItem id="b79b4e26-9906-47b1-97e8-7851dd4ca153" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 71% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="3bd7e49a-e2a7-4f4f-8d6f-781e20b3e861"> <IndicatorItem id="04f95431-b14d-43c2-a469-76ec2dfca5d2" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">26085</Content> </IndicatorItem> <IndicatorItem id="5ce072f5-455d-4457-9a55-e43f796b05c8" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">26112</Content> </IndicatorItem> <IndicatorItem id="4c60995e-0101-422c-aa6a-442bd4c72274" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">26624</Content> </IndicatorItem> <IndicatorItem id="f23cad9e-d703-48cd-bdf4-6c4c51587d1b" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">32734</Content> </IndicatorItem> <IndicatorItem id="efd2b400-30a3-44e4-b9c6-e998bf1bd7d1" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">32768</Content> </IndicatorItem> <IndicatorItem id="8791f0d6-eb97-4dbc-bd90-bacff1692af4" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">33792</Content> </IndicatorItem> <IndicatorItem id="58428dae-3ddf-45b1-b9d6-191fbf15386e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">33829</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="f784009f-474c-481c-b916-6a5eb5171217"> <IndicatorItem id="77056ecd-8481-41ba-8a52-f6ebbb2f4672" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-10-19T08:15:54Z</Content> </IndicatorItem> <IndicatorItem id="18fa2007-837a-4d7f-a497-4726d84e5e63" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-10-20T03:05:15Z</Content> </IndicatorItem> <IndicatorItem id="e95325be-a318-46f2-a3f3-3666164bd40d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-02T08:35:56Z</Content> </IndicatorItem> <IndicatorItem id="d3ae8857-2edd-4c7b-b030-97e02aff3d93" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-04T06:07:11Z</Content> </IndicatorItem> <IndicatorItem id="fc57d943-b0a7-414e-aff4-06c3dc1dca8a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-01T02:43:26Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="01ef6ff8-8050-44d6-bd54-f35e523315ab"> <IndicatorItem id="9a29dd0d-ad67-42eb-9e3f-d2e7e485099f" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir"/> <Content type="string">Mutant</Content> </IndicatorItem> <IndicatorItem id="a91296f4-e0e0-454d-8fae-a8a55a77e457" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">letusgohtppmmv2.0.0.1</Content> <Comment>mutant created by some versions of the malware</Comment> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-809eca7a-fb86-44eb-b355-403c58e2159a"> <indicator:Title>COOKIEBAG (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> This family of malware is a backdoor capable of file upload and download as well as providing remote interactive shell access to the compromised machine. Communication with the Command & Control (C2) servers uses a combination of single-byte XOR and Base64 encoded data in the Cookie and Set-Cookie HTTP header fields. Communication with the C2 servers is over port 80. Some variants install a registry key as means of a persistence mechanism. The hardcoded strings cited include a string of a command in common with several other APT1 families. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-79abb1a5-bbf6-43af-8467-532f71c6dd87"/> <cybox:Observable idref="mandiant:observable-04e77da2-5b8a-412b-a399-f469ec0e04b6"/> <cybox:Observable idref="mandiant:observable-00351da5-c885-484e-bc72-aad44ed08e51"/> <cybox:Observable idref="mandiant:observable-7bd94800-81f8-4dfa-b249-03d98b0b9606"/> <cybox:Observable idref="mandiant:observable-33c801e0-2c42-4dd8-b596-2db00964a928"/> <cybox:Observable idref="mandiant:observable-59522153-7522-482b-8bb6-010211a6737a"/> <cybox:Observable idref="mandiant:observable-0b06b091-69d3-4914-a234-bdf613539c68"/> <cybox:Observable idref="mandiant:observable-db9d2702-a55a-406e-9d02-46afead92b6e"/> <cybox:Observable idref="mandiant:observable-f17fffc0-839f-4ad1-8d74-0db32124b8e6"/> <cybox:Observable idref="mandiant:observable-81a255ee-0927-4ad9-9fba-9aab5e6cd76f"/> <cybox:Observable idref="mandiant:observable-5849c3c1-d099-4733-b03e-8c56711194d0"/> <cybox:Observable idref="mandiant:observable-f08759f3-d4cc-4309-a7e2-8c6fdbbce80b"/> <cybox:Observable idref="mandiant:observable-2ccebfa9-1eaa-460e-9341-8a96a2ff7a2b"/> <cybox:Observable idref="mandiant:observable-f547229b-7a04-431e-b56b-09ac98678697"/> <cybox:Observable idref="mandiant:observable-7215d193-972f-444c-aa18-a61daabc04a6"/> <cybox:Observable idref="mandiant:observable-c1343674-dd87-49a0-a4a3-a27d0818dc18"/> <cybox:Observable idref="mandiant:observable-b7c91545-2a05-4b62-b1dd-1fb71e82ab89"/> <cybox:Observable idref="mandiant:observable-e3b2626b-c7d3-4a44-a824-6bf850243237"/> <cybox:Observable id="mandiant:observable-afee0590-19b9-4126-876b-bfb17ebd7abf"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-45742288-6707-47b5-9969-8fe7508f96d1"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-ff943c0a-9e58-4386-ad14-34015d84e415"/> <cybox:Observable idref="mandiant:observable-1440d9e1-ac2b-4070-9c52-18c09764e9e5"/> <cybox:Observable idref="mandiant:observable-3439977d-e115-4d8f-b132-0ad1d43a03f9"/> <cybox:Observable idref="mandiant:observable-710c48a6-5469-4bd4-92eb-e42e88513684"/> <cybox:Observable idref="mandiant:observable-7141fe94-297a-4e1b-84ae-27750d6ca75f"/> <cybox:Observable idref="mandiant:observable-084208aa-67d9-4c4f-94b6-f6473e2d2145"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-a59ef15a-1121-44af-9043-8585cc55903c"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-c0e76f51-65b3-4674-8f40-0e9f3c0aad5e"/> <cybox:Observable idref="mandiant:observable-8e459a03-786e-43e3-855b-e20e6335e26b"/> <cybox:Observable idref="mandiant:observable-925a2eca-69c1-4ffb-b40f-2cacb6b7a5cb"/> <cybox:Observable idref="mandiant:observable-82dd6cbd-30f3-4cea-a8c9-740a546241d4"/> <cybox:Observable idref="mandiant:observable-b3633486-591f-4efb-b237-0e4fb02ad91c"/> <cybox:Observable idref="mandiant:observable-e63613fd-a9a1-4a98-ad5a-fdc220e0441f"/> <cybox:Observable idref="mandiant:observable-fabb74b2-60b0-41d4-a5c0-36352424c0e5"/> <cybox:Observable idref="mandiant:observable-a6b24c9d-1a03-45af-914b-6acf27687c54"/> <cybox:Observable idref="mandiant:observable-01537a75-9e1b-40ca-8f89-9c86be215732"/> <cybox:Observable idref="mandiant:observable-351316b2-0c9e-4f14-8378-2c501708d770"/> <cybox:Observable idref="mandiant:observable-0c587488-54ba-4632-842b-61bf5f1312af"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-dcbb72e5-50e0-47ab-99a2-fd0deecb35e7"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-afa38bcf-b80a-47ee-9c0a-2fdf6dba7f9e"/> <cybox:Observable idref="mandiant:observable-1a17e869-fc4d-41da-b236-9dbcb88d6ff2"/> <cybox:Observable idref="mandiant:observable-7e48992d-2ff8-4f80-9889-8f35073af141"/> <cybox:Observable idref="mandiant:observable-5a7e8dc6-f0af-4758-850b-0df033d97e1a"/> <cybox:Observable idref="mandiant:observable-0c04da43-6de5-4333-a254-8242134172c5"/> <cybox:Observable idref="mandiant:observable-6023b32f-45a6-47ea-ac7c-fbffd35f6e80"/> <cybox:Observable idref="mandiant:observable-2935559c-5d93-4b38-9e37-4e5f2b6286f9"/> <cybox:Observable idref="mandiant:observable-dfcc4c5d-2f42-41c4-9f23-47761e3b131b"/> <cybox:Observable idref="mandiant:observable-0d4c14c4-1429-4ccd-a920-2b2a0d1e41f2"/> <cybox:Observable idref="mandiant:observable-3eb5f738-d087-4dc5-8163-8223166aa1ca"/> <cybox:Observable idref="mandiant:observable-7eb89e1e-6d8b-44e7-97ac-5506f6011ac9"/> <cybox:Observable idref="mandiant:observable-f3ad0de3-9089-49e6-8089-e5833e066c20"/> <cybox:Observable idref="mandiant:observable-4ffae2b5-e390-4300-93f7-34c5fcc55faf"/> <cybox:Observable idref="mandiant:observable-f080431e-deb2-48f1-8daf-cc3fb38f2808"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8a18d7a-87fe-479f-8f9b-9bb19046230c"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-59a60655-c1e2-449d-b3bd-42a445a7e6bd"/> <cybox:Observable id="mandiant:observable-b0bcd3f9-efef-4b03-bbef-866cc63d0437"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-3a115c77-5a93-4252-bdd7-5c6d15a72786"/> <cybox:Observable idref="mandiant:observable-245a22dc-f856-4b97-85a0-7429e8b5fd48"/> <cybox:Observable idref="mandiant:observable-abb701e7-f05a-40b0-8fdd-4b5ffa109252"/> <cybox:Observable idref="mandiant:observable-66bf87e0-dc35-49ae-9dad-4a9eab4d8e7c"/> <cybox:Observable idref="mandiant:observable-8aa681bc-f5be-489b-b449-203212e81e58"/> <cybox:Observable idref="mandiant:observable-07122710-2023-41d4-8dff-a5948c54bb07"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="86f988b7-fa02-46df-8e19-e50ce37f0fed" last-modified="2013-02-10T13:00:00"> <short_description>COOKIEBAG (FAMILY)</short_description> <description>This family of malware is a backdoor capable of file upload and download as well as providing remote interactive shell access to the compromised machine. Communication with the Command & Control (C2) servers uses a combination of single-byte XOR and Base64 encoded data in the Cookie and Set-Cookie HTTP header fields. Communication with the C2 servers is over port 80. Some variants install a registry key as means of a persistence mechanism. The hardcoded strings cited include a string of a command in common with several other APT1 families.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">COOKIEBAG</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="809eca7a-fb86-44eb-b355-403c58e2159a"> <IndicatorItem id="79abb1a5-bbf6-43af-8467-532f71c6dd87" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">73a63c21a08b0ad2c69999e448f8e6a1</Content> </IndicatorItem> <IndicatorItem id="04e77da2-5b8a-412b-a399-f469ec0e04b6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a4903f7c293993069f865468bd7cec78</Content> </IndicatorItem> <IndicatorItem id="00351da5-c885-484e-bc72-aad44ed08e51" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0c28ad34f90950bc784339ec9f50d288</Content> </IndicatorItem> <IndicatorItem id="7bd94800-81f8-4dfa-b249-03d98b0b9606" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e6c25f9994b723d39c785ddfd38a31b8</Content> </IndicatorItem> <IndicatorItem id="33c801e0-2c42-4dd8-b596-2db00964a928" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6ab7fa8e5fb63b8d0723387d0a1ffe6d</Content> </IndicatorItem> <IndicatorItem id="59522153-7522-482b-8bb6-010211a6737a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">989b797c2a63fbfc8e1c6e8a8ccd6204</Content> </IndicatorItem> <IndicatorItem id="0b06b091-69d3-4914-a234-bdf613539c68" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0cad42671e5771574df44a23b3634f32</Content> </IndicatorItem> <IndicatorItem id="db9d2702-a55a-406e-9d02-46afead92b6e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">57326cd78a56d26e349bbd4bcc5b9fa2</Content> </IndicatorItem> <IndicatorItem id="f17fffc0-839f-4ad1-8d74-0db32124b8e6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">543e03cc5872e9ed870b2d64363f518b</Content> </IndicatorItem> <IndicatorItem id="81a255ee-0927-4ad9-9fba-9aab5e6cd76f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">db2580f5675f04716481b24bb7af468e</Content> </IndicatorItem> <IndicatorItem id="5849c3c1-d099-4733-b03e-8c56711194d0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">687a58dcbc076b04bef4ec6050310fb5</Content> </IndicatorItem> <IndicatorItem id="f08759f3-d4cc-4309-a7e2-8c6fdbbce80b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">609d917a7f0c526b0d8091c8191da376</Content> </IndicatorItem> <IndicatorItem id="2ccebfa9-1eaa-460e-9341-8a96a2ff7a2b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f9a46d5024c05a827912a89ca270c553</Content> </IndicatorItem> <IndicatorItem id="f547229b-7a04-431e-b56b-09ac98678697" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a311516cdf06d3db4f49e67da5213ebe</Content> </IndicatorItem> <IndicatorItem id="7215d193-972f-444c-aa18-a61daabc04a6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f3611c5c793f521f7ff2a69c22d4174e</Content> </IndicatorItem> <IndicatorItem id="c1343674-dd87-49a0-a4a3-a27d0818dc18" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c21591aa72ac72872f5bd05bbca5e4da</Content> </IndicatorItem> <IndicatorItem id="b7c91545-2a05-4b62-b1dd-1fb71e82ab89" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e72fd40e47e232496b303734f1b2b11</Content> </IndicatorItem> <IndicatorItem id="e3b2626b-c7d3-4a44-a824-6bf850243237" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">321d75c9990408db812e5a248a74f8c8</Content> </IndicatorItem> <IndicatorItem id="d1810518-b626-4311-a145-1c4598d7a1ac" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">YzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbWQuZXhl</Content> <Comment>common string found in all observed variants of this family</Comment> </IndicatorItem> <IndicatorItem id="bd6b2ced-0f3c-4049-b8fc-7c616fb7b8a9" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Y21kLmV4ZQ==</Content> <Comment>string in common w/ other APT1 malware families found in all observed variants of this family</Comment> </IndicatorItem> <Indicator operator="AND" id="afee0590-19b9-4126-876b-bfb17ebd7abf"> <Indicator operator="OR" id="45742288-6707-47b5-9969-8fe7508f96d1"> <IndicatorItem id="ff943c0a-9e58-4386-ad14-34015d84e415" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">126976</Content> </IndicatorItem> <IndicatorItem id="1440d9e1-ac2b-4070-9c52-18c09764e9e5" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">131072</Content> </IndicatorItem> <IndicatorItem id="3439977d-e115-4d8f-b132-0ad1d43a03f9" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">151552</Content> </IndicatorItem> <IndicatorItem id="710c48a6-5469-4bd4-92eb-e42e88513684" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">152064</Content> </IndicatorItem> <IndicatorItem id="7141fe94-297a-4e1b-84ae-27750d6ca75f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">167936</Content> </IndicatorItem> <IndicatorItem id="084208aa-67d9-4c4f-94b6-f6473e2d2145" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">64000</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="a59ef15a-1121-44af-9043-8585cc55903c"> <IndicatorItem id="c0e76f51-65b3-4674-8f40-0e9f3c0aad5e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-03T08:09:58Z</Content> </IndicatorItem> <IndicatorItem id="8e459a03-786e-43e3-855b-e20e6335e26b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-07-18T03:10:56Z</Content> </IndicatorItem> <IndicatorItem id="925a2eca-69c1-4ffb-b40f-2cacb6b7a5cb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-12T01:58:10Z</Content> </IndicatorItem> <IndicatorItem id="82dd6cbd-30f3-4cea-a8c9-740a546241d4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-16T15:07:45Z</Content> </IndicatorItem> <IndicatorItem id="b3633486-591f-4efb-b237-0e4fb02ad91c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-22T01:15:22Z</Content> </IndicatorItem> <IndicatorItem id="e63613fd-a9a1-4a98-ad5a-fdc220e0441f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-12T01:34:56Z</Content> </IndicatorItem> <IndicatorItem id="fabb74b2-60b0-41d4-a5c0-36352424c0e5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-13T03:47:57Z</Content> </IndicatorItem> <IndicatorItem id="a6b24c9d-1a03-45af-914b-6acf27687c54" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-14T14:29:00Z</Content> </IndicatorItem> <IndicatorItem id="01537a75-9e1b-40ca-8f89-9c86be215732" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-04-17T07:24:52Z</Content> </IndicatorItem> <IndicatorItem id="351316b2-0c9e-4f14-8378-2c501708d770" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-19T07:21:24Z</Content> </IndicatorItem> <IndicatorItem id="0c587488-54ba-4632-842b-61bf5f1312af" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-06-11T12:37:20Z</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="dcbb72e5-50e0-47ab-99a2-fd0deecb35e7"> <IndicatorItem id="afa38bcf-b80a-47ee-9c0a-2fdf6dba7f9e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">acrod32.exe</Content> </IndicatorItem> <IndicatorItem id="1a17e869-fc4d-41da-b236-9dbcb88d6ff2" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">updata.exe</Content> </IndicatorItem> <IndicatorItem id="7e48992d-2ff8-4f80-9889-8f35073af141" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">windows.exe</Content> </IndicatorItem> <IndicatorItem id="5a7e8dc6-f0af-4758-850b-0df033d97e1a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">acrord32.exe</Content> </IndicatorItem> <IndicatorItem id="0c04da43-6de5-4333-a254-8242134172c5" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">204.exe</Content> </IndicatorItem> <IndicatorItem id="6023b32f-45a6-47ea-ac7c-fbffd35f6e80" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">windows.exe</Content> </IndicatorItem> <IndicatorItem id="2935559c-5d93-4b38-9e37-4e5f2b6286f9" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update.exe</Content> </IndicatorItem> <IndicatorItem id="dfcc4c5d-2f42-41c4-9f23-47761e3b131b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">googlee.exe</Content> </IndicatorItem> <IndicatorItem id="0d4c14c4-1429-4ccd-a920-2b2a0d1e41f2" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">codeguru.exe</Content> </IndicatorItem> <IndicatorItem id="3eb5f738-d087-4dc5-8163-8223166aa1ca" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">google.exe</Content> </IndicatorItem> <IndicatorItem id="7eb89e1e-6d8b-44e7-97ac-5506f6011ac9" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">66.exe</Content> </IndicatorItem> <IndicatorItem id="f3ad0de3-9089-49e6-8089-e5833e066c20" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">services.exe</Content> </IndicatorItem> <IndicatorItem id="4ffae2b5-e390-4300-93f7-34c5fcc55faf" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">data.exe</Content> </IndicatorItem> <IndicatorItem id="f080431e-deb2-48f1-8daf-cc3fb38f2808" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="a8a18d7a-87fe-479f-8f9b-9bb19046230c"> <IndicatorItem id="59a60655-c1e2-449d-b3bd-42a445a7e6bd" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">Software\Microsoft\Windows Nt\CurrentVersion\load</Content> <Comment>registry key created by some variants of this malware family</Comment> </IndicatorItem> <Indicator operator="OR" id="b0bcd3f9-efef-4b03-bbef-866cc63d0437"> <IndicatorItem id="3a115c77-5a93-4252-bdd7-5c6d15a72786" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">windows.exe</Content> </IndicatorItem> <IndicatorItem id="245a22dc-f856-4b97-85a0-7429e8b5fd48" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">acrord32.exe</Content> </IndicatorItem> <IndicatorItem id="abb701e7-f05a-40b0-8fdd-4b5ffa109252" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">winword.exe</Content> </IndicatorItem> <IndicatorItem id="66bf87e0-dc35-49ae-9dad-4a9eab4d8e7c" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">google.exe</Content> </IndicatorItem> <IndicatorItem id="8aa681bc-f5be-489b-b449-203212e81e58" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">204.exe</Content> </IndicatorItem> <IndicatorItem id="07122710-2023-41d4-8dff-a5948c54bb07" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">acrod32.exe</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-1c200d34-351f-47fa-bf6f-1c596d2779a7"> <indicator:Title>DAIRY (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> Members of this malware family are backdoors that provide file downloading, process listing, process killing, and reverse shell capabilities. This malware may also add itself to the Authorized Applications list for the Windows Firewall. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-267cf04a-b1ea-4756-90ca-442de0f74be9"/> <cybox:Observable idref="mandiant:observable-dfe18b38-c8d3-45d6-8542-28d37227eb3d"/> <cybox:Observable idref="mandiant:observable-edadff3c-51cd-447f-8ca0-24abec5e8d88"/> <cybox:Observable id="mandiant:observable-dd3fa6a8-fc73-4211-94e7-60730bc66228"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-a85a454c-18d7-4560-9332-210ec477f636"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-dfc0f5ed-e8f0-469a-81c1-86514e485600"/> <cybox:Observable idref="mandiant:observable-0f8190de-760a-430e-b46e-10ac3f60e2c9"/> <cybox:Observable idref="mandiant:observable-3af82cfc-5792-4879-bc4b-69cac7e8a0fa"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-0f0569fd-4072-4ca9-8073-f80839440c60"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-6aec48e0-76df-497c-ace5-477f7db586c9"/> <cybox:Observable idref="mandiant:observable-a937d71f-de57-406b-a918-7a2d732bb11b"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-a417f574-b6fb-415f-b16f-8b4c5faeff41"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-45c9f5f6-edfa-4800-adf7-c05a70430c2f"/> <cybox:Observable id="mandiant:observable-696c93c4-ac4d-4971-9fd7-d9eba5c71897"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-168d2376-1ff6-42b9-9718-08aa6bce57c8"/> <cybox:Observable idref="mandiant:observable-28e9d169-d549-4d1f-b23d-7ca36febe76b"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="8900aa6b-883d-48d3-a07d-d49b0429dd2b" last-modified="2013-02-10T13:00:00"> <short_description>DAIRY (FAMILY)</short_description> <description>Members of this malware family are backdoors that provide file downloading, process listing, process killing, and reverse shell capabilities. This malware may also add itself to the Authorized Applications list for the Windows Firewall.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">DAIRY</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="1c200d34-351f-47fa-bf6f-1c596d2779a7"> <IndicatorItem id="267cf04a-b1ea-4756-90ca-442de0f74be9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">995442f722cc037885335340fc297ea0</Content> </IndicatorItem> <IndicatorItem id="dfe18b38-c8d3-45d6-8542-28d37227eb3d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8489dc2c1291aa717b8ce81d5bf90892</Content> </IndicatorItem> <IndicatorItem id="edadff3c-51cd-447f-8ca0-24abec5e8d88" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\temp\updatasched.exe</Content> <Comment>this malware family creates a copy of cmd.exe with this name in a temp directory as part of it's attempt to set up a reverse shell</Comment> </IndicatorItem> <Indicator operator="AND" id="dd3fa6a8-fc73-4211-94e7-60730bc66228"> <Indicator operator="OR" id="a85a454c-18d7-4560-9332-210ec477f636"> <IndicatorItem id="dfc0f5ed-e8f0-469a-81c1-86514e485600" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <IndicatorItem id="0f8190de-760a-430e-b46e-10ac3f60e2c9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-01-29T22:52:49Z</Content> </IndicatorItem> <IndicatorItem id="3af82cfc-5792-4879-bc4b-69cac7e8a0fa" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">19456</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="0f0569fd-4072-4ca9-8073-f80839440c60"> <IndicatorItem id="6aec48e0-76df-497c-ace5-477f7db586c9" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Lssavp32.exe</Content> </IndicatorItem> <IndicatorItem id="a937d71f-de57-406b-a918-7a2d732bb11b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">WinverSSL.exe</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="a417f574-b6fb-415f-b16f-8b4c5faeff41"> <IndicatorItem id="45c9f5f6-edfa-4800-adf7-c05a70430c2f" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</Content> <Comment>This registry artifact may be present from the malware adding itself to the Windows Firewall configuration</Comment> </IndicatorItem> <Indicator operator="OR" id="696c93c4-ac4d-4971-9fd7-d9eba5c71897"> <IndicatorItem id="168d2376-1ff6-42b9-9718-08aa6bce57c8" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">lssap32.exe</Content> </IndicatorItem> <IndicatorItem id="28e9d169-d549-4d1f-b23d-7ca36febe76b" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">winverssl.exe</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-b26314f3-956f-4340-bd9a-60f0e4ff210f"> <indicator:Title>Appendix E - APT1 File Hashes</indicator:Title> <indicator:Type vocab_name="Mandiant">Composite</indicator:Type> <indicator:Description> MD5 Hashes from APT 1 malware </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-05651fe8-64d2-47b5-a874-3e78e7918917"/> <cybox:Observable idref="mandiant:observable-103cfa65-fa42-41f0-96c8-0ddc0cbdafa7"/> <cybox:Observable idref="mandiant:observable-2277e6c7-48dd-49b0-a53b-53951f85421d"/> <cybox:Observable idref="mandiant:observable-6896db08-5da6-40ba-9245-2a2a61354db8"/> <cybox:Observable idref="mandiant:observable-6093b5cd-f834-4716-946a-747ebcdbe33a"/> <cybox:Observable idref="mandiant:observable-3b8f989c-920f-47a6-984e-93806bba70cc"/> <cybox:Observable idref="mandiant:observable-18ed243e-cac8-4a2d-b507-b5363a2ecc24"/> <cybox:Observable idref="mandiant:observable-7fc17be6-604f-4b4f-afb6-f4c6880377cd"/> <cybox:Observable idref="mandiant:observable-0397d8b8-47de-4cb2-864a-599325b84582"/> <cybox:Observable idref="mandiant:observable-e5d8c061-332a-4269-b47a-e0115b71bca8"/> <cybox:Observable idref="mandiant:observable-81db5dfe-ca08-4323-ba33-29d97a4219ce"/> <cybox:Observable idref="mandiant:observable-116c0cc0-aaac-46be-927b-5d19de4b3b98"/> <cybox:Observable idref="mandiant:observable-b99065f7-605d-427f-85b0-3b448510d7e3"/> <cybox:Observable idref="mandiant:observable-5c27487c-532e-45ec-bd2e-e535ae07ed67"/> <cybox:Observable idref="mandiant:observable-a33e7133-7c6c-437a-9583-8ee69782fded"/> <cybox:Observable idref="mandiant:observable-370861b5-15a4-4a19-bf7a-bb9616af3a77"/> <cybox:Observable idref="mandiant:observable-f46f394f-9ccd-4edf-b5a2-c8d4a95b2688"/> <cybox:Observable idref="mandiant:observable-9f53293c-3309-4f71-948c-e3cc1c143548"/> <cybox:Observable idref="mandiant:observable-97dec2ec-a86e-4f4d-8255-e9bdb1a1db29"/> <cybox:Observable idref="mandiant:observable-bede4de9-36e7-4c4e-99a2-3b1a7a07e19c"/> <cybox:Observable idref="mandiant:observable-525c226b-b43f-4441-881a-87389b32bde2"/> <cybox:Observable idref="mandiant:observable-bce5d153-cfdc-418d-9fe8-df23e0c3e9b5"/> <cybox:Observable idref="mandiant:observable-98cdc7cb-1025-4ccc-8e08-cd0527be057d"/> <cybox:Observable idref="mandiant:observable-4b05928f-343e-4617-9b25-706e1cfc09e3"/> <cybox:Observable idref="mandiant:observable-f02a9717-96f7-4748-a287-ad56d96c9617"/> <cybox:Observable idref="mandiant:observable-26006d09-1a1f-4d35-9a18-21785ad5c5dc"/> <cybox:Observable idref="mandiant:observable-bf5f8836-b3b8-4775-8de1-23b62b36c079"/> <cybox:Observable idref="mandiant:observable-e345f9da-ffd5-46ea-82bd-0682a69c8b99"/> <cybox:Observable idref="mandiant:observable-ccb64070-590a-4b86-967d-87379102b7a5"/> <cybox:Observable idref="mandiant:observable-49c429e4-c709-4830-b312-5d0bb0c8ad97"/> <cybox:Observable idref="mandiant:observable-3bc28d73-633a-43c4-875c-c2cb7551ba44"/> <cybox:Observable idref="mandiant:observable-e8649b93-b7d3-4602-ab29-22443412e013"/> <cybox:Observable idref="mandiant:observable-dad60ab8-b908-4f3c-b4b6-e748eb0af215"/> <cybox:Observable idref="mandiant:observable-440f5cbd-e265-4729-8a03-d31f4949bbee"/> <cybox:Observable idref="mandiant:observable-f5cec6df-5f6d-42a3-aa32-1b3cf57a2f4d"/> <cybox:Observable idref="mandiant:observable-69442a84-08eb-472d-84cb-d78aa05511d2"/> <cybox:Observable idref="mandiant:observable-d7441823-0ef0-44c2-8350-d1456c41847f"/> <cybox:Observable idref="mandiant:observable-e6b7c876-636c-490c-b507-72fa142405c8"/> <cybox:Observable idref="mandiant:observable-c39e7b9f-08bc-4a3a-adec-7c8704385d01"/> <cybox:Observable idref="mandiant:observable-f79746e0-651d-4559-90f1-cbc0120a32ff"/> <cybox:Observable idref="mandiant:observable-275ec552-99da-4afd-9bbe-dbd8dd279990"/> <cybox:Observable idref="mandiant:observable-9bf46e24-9fe4-4efc-9fa5-72ea44503571"/> <cybox:Observable idref="mandiant:observable-3056cb61-e438-4cbf-ba68-bff7077a5652"/> <cybox:Observable idref="mandiant:observable-63a99629-9927-429a-84ef-0f4e2a3b1367"/> <cybox:Observable idref="mandiant:observable-ba0d89bb-cef0-4bd7-a4ec-8d28e683e220"/> <cybox:Observable idref="mandiant:observable-3ca10b1b-5286-42d3-8d5a-74e658bdfb9b"/> <cybox:Observable idref="mandiant:observable-545f8c89-f07a-4273-afe0-ae939c34801e"/> <cybox:Observable idref="mandiant:observable-5ba1ef54-b240-4048-81e5-3bf13c725f69"/> <cybox:Observable idref="mandiant:observable-3a423788-f71e-484c-abed-7c00670bfdba"/> <cybox:Observable idref="mandiant:observable-881822be-3dc1-403a-af0e-07376032fa5f"/> <cybox:Observable idref="mandiant:observable-404e40f9-107a-4dad-8dc2-0dc64f141b24"/> <cybox:Observable idref="mandiant:observable-5819d156-9b7a-4d9c-a67c-d6290182d27c"/> <cybox:Observable idref="mandiant:observable-6def3e89-8836-4a8c-ba46-2285da79863f"/> <cybox:Observable idref="mandiant:observable-5261246b-3eb6-4516-9681-7d5b0c1ce8f9"/> <cybox:Observable idref="mandiant:observable-38c036dd-c7e8-4035-b29e-00af763e2ae6"/> <cybox:Observable idref="mandiant:observable-b52a9718-e8e5-4cb0-a837-a37289ea5d9f"/> <cybox:Observable idref="mandiant:observable-cef3482b-70b5-4d5b-a9f2-6a42fc5b975f"/> <cybox:Observable idref="mandiant:observable-bb22d9c5-efa2-452a-baee-0cf6faf0dcce"/> <cybox:Observable idref="mandiant:observable-8ca56c7a-0b17-4be8-8848-8eba311bc883"/> <cybox:Observable idref="mandiant:observable-c3852e5f-f117-4b98-b404-f3df59bf70eb"/> <cybox:Observable idref="mandiant:observable-e24a0c6b-e6bd-4d4a-807e-ed444756f35e"/> <cybox:Observable idref="mandiant:observable-d93d3e6b-8e75-4066-ad27-4ab3c8ddc366"/> <cybox:Observable idref="mandiant:observable-04d2b17b-0de9-4e52-be72-0370587a1e10"/> <cybox:Observable idref="mandiant:observable-b316fe53-7c0d-4ce4-b425-6595d5ab17c7"/> <cybox:Observable idref="mandiant:observable-1ad0f0bd-5b9c-483a-ae66-08106e1403af"/> <cybox:Observable idref="mandiant:observable-326ffec2-dc36-4878-b9e2-5e9e84386b57"/> <cybox:Observable idref="mandiant:observable-96e47165-509c-49a0-ae31-14a52698d1d9"/> <cybox:Observable idref="mandiant:observable-5a178b25-59fd-4177-8f57-48f7d497d24a"/> <cybox:Observable idref="mandiant:observable-23042542-a9a7-4aeb-b961-fd30b9f087da"/> <cybox:Observable idref="mandiant:observable-0f2cf480-7862-4df6-a1b8-a7dfb8e52da5"/> <cybox:Observable idref="mandiant:observable-359593a1-2f92-4e19-9ae6-baa0029e6398"/> <cybox:Observable idref="mandiant:observable-add1cad1-09f7-4557-bd37-30fc1b8c7d8a"/> <cybox:Observable idref="mandiant:observable-e91938e3-5fd9-4db3-8168-799fa6f2d1ba"/> <cybox:Observable idref="mandiant:observable-2bb6ca2f-11a8-43c8-81a6-76b822424088"/> <cybox:Observable idref="mandiant:observable-e01a57c5-4648-42a0-a93d-c9371a880da2"/> <cybox:Observable idref="mandiant:observable-85d70fe6-c617-4e6b-a322-52c61fdb9fe5"/> <cybox:Observable idref="mandiant:observable-e86f7f6d-382c-413c-ad3c-d788d6c3def4"/> <cybox:Observable idref="mandiant:observable-c671e8b1-5cb9-47dc-b5b4-70605a357be5"/> <cybox:Observable idref="mandiant:observable-4cb4ee77-cc29-4f5c-bcb1-ea831ba89413"/> <cybox:Observable idref="mandiant:observable-359b1769-35f5-44fe-93fb-88cb8524a50e"/> <cybox:Observable idref="mandiant:observable-0026de5f-5b36-4f6e-9930-1ec7ebede534"/> <cybox:Observable idref="mandiant:observable-398ba8ea-cf1c-4598-a1f6-6780370d5ceb"/> <cybox:Observable idref="mandiant:observable-e60f9259-80ef-4ec7-bcff-f9c34a78bdc2"/> <cybox:Observable idref="mandiant:observable-9132c73d-3ea0-468e-9f23-3cfc63d34e4b"/> <cybox:Observable idref="mandiant:observable-19a43f99-f9e5-4186-913b-3250064505c0"/> <cybox:Observable idref="mandiant:observable-d0e4c8ff-6425-4f6d-8d89-40fe33d249dd"/> <cybox:Observable idref="mandiant:observable-31c11f44-44bf-47d9-8257-71a9e103c43d"/> <cybox:Observable idref="mandiant:observable-bc07cc72-4752-43b3-8541-24eb6f9f7653"/> <cybox:Observable idref="mandiant:observable-9eb5e05e-70b8-473c-8f59-b52a58b0dda9"/> <cybox:Observable idref="mandiant:observable-6d0d4fc3-a1aa-40b6-bb1a-1815879bc7ea"/> <cybox:Observable idref="mandiant:observable-794fa688-9801-4524-bb96-e702aa916617"/> <cybox:Observable idref="mandiant:observable-797c48e1-5c0b-425a-afc2-7f1830c06e1b"/> <cybox:Observable idref="mandiant:observable-86e1d024-8f84-4e9f-9c1c-5e7decddfaaf"/> <cybox:Observable idref="mandiant:observable-d2337907-5f47-40a0-b52f-5d764b6dbf49"/> <cybox:Observable idref="mandiant:observable-1098380e-281b-4e66-be75-c614cc97ea40"/> <cybox:Observable idref="mandiant:observable-44686d0b-7211-4e71-866a-aa8006fe12d2"/> <cybox:Observable idref="mandiant:observable-abf4682a-d32d-4ae8-85be-97ae4e3728f0"/> <cybox:Observable idref="mandiant:observable-54faec0a-b2a7-4ea7-93ff-f3644eb1d8fb"/> <cybox:Observable idref="mandiant:observable-982e8250-4a6a-40c9-9264-324a62f3f41d"/> <cybox:Observable idref="mandiant:observable-c20a79fe-4ccd-410a-ad6f-0aa6e7339a08"/> <cybox:Observable idref="mandiant:observable-541ffaec-8c22-4e82-9446-24b49d3599ce"/> <cybox:Observable idref="mandiant:observable-1e4b6646-b454-4d33-be79-03246949326a"/> <cybox:Observable idref="mandiant:observable-06d294e5-8e21-4987-a717-c078fef58614"/> <cybox:Observable idref="mandiant:observable-d70f3afa-092f-4198-a97c-e60eeaa920e9"/> <cybox:Observable idref="mandiant:observable-da7098e0-928c-47ad-acdf-a5e0b31a2b9e"/> <cybox:Observable idref="mandiant:observable-d53a3508-d5bb-4210-bbc0-3a0189d4b976"/> <cybox:Observable idref="mandiant:observable-63dbd09a-2167-4f2c-a4eb-a59a5eb42fb1"/> <cybox:Observable idref="mandiant:observable-23372f15-d5d9-484a-a8b5-48f8a71cae9a"/> <cybox:Observable idref="mandiant:observable-d347c5aa-8573-45e9-b317-4cd48fb33309"/> <cybox:Observable idref="mandiant:observable-bb6a7d86-ccdc-49ad-a300-233466090cb3"/> <cybox:Observable idref="mandiant:observable-6ea1dc10-cf21-4bc9-9936-517e0372a2e9"/> <cybox:Observable idref="mandiant:observable-0eacc6b9-d3db-4732-bdea-c00c11c89584"/> <cybox:Observable idref="mandiant:observable-fc004b7b-ba76-4764-9f3d-d3aaa1b51487"/> <cybox:Observable idref="mandiant:observable-77baa40c-7ddb-4101-9b7b-46fd979b1a8f"/> <cybox:Observable idref="mandiant:observable-4ef42795-799a-4a7b-aef5-8b942034c6c6"/> <cybox:Observable idref="mandiant:observable-48a2a6d8-1393-4c20-be66-15b03dd4ca94"/> <cybox:Observable idref="mandiant:observable-3711ab1f-5879-4e86-8796-0226d7e9523e"/> <cybox:Observable idref="mandiant:observable-e8570a77-faaa-4422-a627-30707bf45c36"/> <cybox:Observable idref="mandiant:observable-54c18359-178d-4321-9479-b5037e24cc53"/> <cybox:Observable idref="mandiant:observable-35fa316a-2915-4435-aaeb-65717957bd6f"/> <cybox:Observable idref="mandiant:observable-1e2529c8-c4c7-4a1e-86d7-630842f293b1"/> <cybox:Observable idref="mandiant:observable-8dd5d3da-e922-4e58-83f5-66116f9d0551"/> <cybox:Observable idref="mandiant:observable-31d84c6d-d613-42e9-b1a6-72e6aaa78e94"/> <cybox:Observable idref="mandiant:observable-c5ea82b0-a991-4bc1-a2bf-061887d35b35"/> <cybox:Observable idref="mandiant:observable-9bd9ac90-53d3-437f-910c-af0e0b1e1ec5"/> <cybox:Observable idref="mandiant:observable-de49ae7e-db99-49ac-843d-4ec54d875b82"/> <cybox:Observable idref="mandiant:observable-4599bf78-645b-468f-96cd-5822961ae9aa"/> <cybox:Observable idref="mandiant:observable-2f723b94-d7a1-469a-b792-21a110150d8c"/> <cybox:Observable idref="mandiant:observable-1afa4b6c-0cbe-4a7a-93df-d33eac738ee7"/> <cybox:Observable idref="mandiant:observable-116d1a83-dfba-4e64-8c7b-c9048baa50f1"/> <cybox:Observable idref="mandiant:observable-6ff86f5e-3538-41c6-93e2-c3aa0760592a"/> <cybox:Observable idref="mandiant:observable-ddefd762-9036-479f-bfe9-d9c5fb85f982"/> <cybox:Observable idref="mandiant:observable-1deaf030-e074-4e3a-a788-45ae75a6e669"/> <cybox:Observable idref="mandiant:observable-51e62682-fd26-4ba9-8882-7585c5a8c359"/> <cybox:Observable idref="mandiant:observable-9873610d-551a-418d-855e-7710fcd64e3e"/> <cybox:Observable idref="mandiant:observable-3d56b7e9-ff8f-4318-aded-27ed8a7e763e"/> <cybox:Observable idref="mandiant:observable-54fbc385-ac96-45ca-9024-236bfc4945a7"/> <cybox:Observable idref="mandiant:observable-759928a9-9c42-4538-a7cd-172fcef91c1f"/> <cybox:Observable idref="mandiant:observable-f6b20d5f-888e-4b43-9cbd-605cc65d6f62"/> <cybox:Observable idref="mandiant:observable-1c9fb5fb-99d1-4f4b-ada3-11057790d1e8"/> <cybox:Observable idref="mandiant:observable-11eda4af-d518-4728-aeb9-486c7cd2fedf"/> <cybox:Observable idref="mandiant:observable-26941fc7-5dd5-4e01-93df-4e51e0e2f04f"/> <cybox:Observable idref="mandiant:observable-aca6b530-4ad9-4d02-818e-9f6e64f6459b"/> <cybox:Observable idref="mandiant:observable-8f9ef431-47f8-4c5b-a25e-20ea93fa1d64"/> <cybox:Observable idref="mandiant:observable-89fc07df-7c17-4c79-a831-f297fb1e2a87"/> <cybox:Observable idref="mandiant:observable-2e81bf63-45b0-4c8d-9ec9-f169a087a0ca"/> <cybox:Observable idref="mandiant:observable-a8eb1230-6797-4cf7-b823-163672a2b370"/> <cybox:Observable idref="mandiant:observable-a3dbe6c2-b51d-4207-a311-9e5a955bd833"/> <cybox:Observable idref="mandiant:observable-a818911e-297b-4324-aa6f-ac21ec319516"/> <cybox:Observable idref="mandiant:observable-a9086d69-1179-4517-b822-eb84b1658942"/> <cybox:Observable idref="mandiant:observable-0e7d60c6-e783-466d-8594-57c7b0848074"/> <cybox:Observable idref="mandiant:observable-c402b511-6782-40a1-a179-2e72b63c9b82"/> <cybox:Observable idref="mandiant:observable-da9072af-52c2-4305-a16c-e0db04c5d054"/> <cybox:Observable idref="mandiant:observable-12c520fe-2240-4383-9502-338e690862be"/> <cybox:Observable idref="mandiant:observable-5bb7a36f-9773-4ae3-913a-64feb2e8072b"/> <cybox:Observable idref="mandiant:observable-694be730-bf53-4f24-ae76-063d44d84eb2"/> <cybox:Observable idref="mandiant:observable-891409e0-b48b-4378-8135-5f2db3d67cbf"/> <cybox:Observable idref="mandiant:observable-1dd4e157-834b-4f9e-9d33-806646b95a90"/> <cybox:Observable idref="mandiant:observable-0d8f5c5b-5401-44cb-b795-20965c8e0706"/> <cybox:Observable idref="mandiant:observable-92428cd7-19a5-4cfb-a526-0d04495d950f"/> <cybox:Observable idref="mandiant:observable-a214cabc-6e30-4abb-b8b0-fbc37daf2658"/> <cybox:Observable idref="mandiant:observable-cd07b272-58ed-4b34-9b23-66c9a6c35410"/> <cybox:Observable idref="mandiant:observable-ba98e853-f69f-44b1-848b-0628b0cc6b02"/> <cybox:Observable idref="mandiant:observable-12b470cd-652e-4a54-8ed3-cdfd2a9627c8"/> <cybox:Observable idref="mandiant:observable-016b517b-d8a2-47d2-926f-1837ca649be1"/> <cybox:Observable idref="mandiant:observable-5d7e66e4-e185-4a2c-a85f-4883e059ba4b"/> <cybox:Observable idref="mandiant:observable-5fc3446a-a934-4c80-87f6-8005cdd9afaf"/> <cybox:Observable idref="mandiant:observable-ba698614-a29d-4fad-9a80-e31494c728ff"/> <cybox:Observable idref="mandiant:observable-effe17e2-3650-4f8d-84b8-b82bb331cf88"/> <cybox:Observable idref="mandiant:observable-741d2a1e-37cd-4450-bb15-96513fd642b6"/> <cybox:Observable idref="mandiant:observable-3e5ad28e-5bfa-4bb7-851f-42d14ccea030"/> <cybox:Observable idref="mandiant:observable-ba856a40-0074-41c1-819f-3cfbbca29a46"/> <cybox:Observable idref="mandiant:observable-4d84aaf2-0cfa-45b9-9b1b-b1f1ed00221e"/> <cybox:Observable idref="mandiant:observable-a4dfc9ad-d778-4574-ad9d-035765b9510b"/> <cybox:Observable idref="mandiant:observable-f2b6c13d-c933-41fe-b5e0-76b0245b5b59"/> <cybox:Observable idref="mandiant:observable-9e57ab75-f804-4c5f-bece-fe6d56a8db5e"/> <cybox:Observable idref="mandiant:observable-4d1bdd42-d9ec-459e-8e8f-2a8057b84d5c"/> <cybox:Observable idref="mandiant:observable-d13b55ac-b75c-4505-a7f2-1b57b56d6b06"/> <cybox:Observable idref="mandiant:observable-db8fef14-2efd-423f-8189-cc3d2152851c"/> <cybox:Observable idref="mandiant:observable-45a74b7f-786e-4381-9d14-63c1d6c1a84b"/> <cybox:Observable idref="mandiant:observable-61279900-2d22-456b-b146-3f5f25c5897e"/> <cybox:Observable idref="mandiant:observable-b5e5baf1-f5b5-4c57-9aeb-28ac618ed7ab"/> <cybox:Observable idref="mandiant:observable-23508af8-104d-401c-8390-5c241bea9bf4"/> <cybox:Observable idref="mandiant:observable-f42a0f08-4705-4ba4-893c-feee956ba888"/> <cybox:Observable idref="mandiant:observable-52484842-5bfa-4ae6-938f-f34bb535ac70"/> <cybox:Observable idref="mandiant:observable-28660aaf-40fc-4d95-b857-377940895049"/> <cybox:Observable idref="mandiant:observable-92f22fb9-d3d1-4341-b9f6-a7187f680788"/> <cybox:Observable idref="mandiant:observable-10265b2b-45f8-4173-ba5e-f7d0bfe8d3fa"/> <cybox:Observable idref="mandiant:observable-74672d8b-dd58-45f9-9aea-6d4c31fb944c"/> <cybox:Observable idref="mandiant:observable-ee50608f-9ab2-40e1-ae16-964c37e970c4"/> <cybox:Observable idref="mandiant:observable-d5ed1516-1969-4ac2-b5d1-331110658ef2"/> <cybox:Observable idref="mandiant:observable-99e5c689-7f37-4aff-a45f-c617e6b4a066"/> <cybox:Observable idref="mandiant:observable-c5bcdeb1-e953-4d4e-a703-608fd6cdff4a"/> <cybox:Observable idref="mandiant:observable-e04d55cb-4f79-4b61-8325-69996f9062e1"/> <cybox:Observable idref="mandiant:observable-940679c4-ec10-4eb5-9d21-20b12654b772"/> <cybox:Observable idref="mandiant:observable-29c98e79-163d-49ff-bbcb-3158835d45b6"/> <cybox:Observable idref="mandiant:observable-c282d42f-e81b-48cd-85fd-111d8a0a3099"/> <cybox:Observable idref="mandiant:observable-bdf28114-09ec-4b88-99e6-26a7e199b3f3"/> <cybox:Observable idref="mandiant:observable-3c38aa4c-e87a-4e2b-8a35-c6e78ffec8e7"/> <cybox:Observable idref="mandiant:observable-3f462f7c-f56e-46fb-b242-9ae949f66a6a"/> <cybox:Observable idref="mandiant:observable-d61d7c99-eec5-485a-be51-bd82a6991134"/> <cybox:Observable idref="mandiant:observable-824b99b0-6b88-419a-89ec-e218123bfcb4"/> <cybox:Observable idref="mandiant:observable-3c65469b-0378-4e57-b6d5-a43eec2c7b69"/> <cybox:Observable idref="mandiant:observable-fd76a869-3acd-4e5e-a4b9-26cead229768"/> <cybox:Observable idref="mandiant:observable-5981123c-be20-4852-bd80-53887bd6e1d0"/> <cybox:Observable idref="mandiant:observable-b3ba2153-dd85-498f-84cb-fce518db3d76"/> <cybox:Observable idref="mandiant:observable-01c0595d-90ae-4973-b1bb-f7a5bf4cc987"/> <cybox:Observable idref="mandiant:observable-72e103af-aa68-4a48-8deb-d7982a113a2e"/> <cybox:Observable idref="mandiant:observable-d1b2d48b-66f3-45ce-bf59-8ff8dfee1aa5"/> <cybox:Observable idref="mandiant:observable-ddff18bd-d45c-4066-a5e6-ee509c1f8ae4"/> <cybox:Observable idref="mandiant:observable-1ba25759-0637-4361-a2e6-e00f96108434"/> <cybox:Observable idref="mandiant:observable-15ec4e35-97de-4317-80ca-e29ab5690ea0"/> <cybox:Observable idref="mandiant:observable-c65de21f-c921-4ad6-8543-672db0ee4ad7"/> <cybox:Observable idref="mandiant:observable-cdc07416-dda9-4ee6-961d-eb395d8aa546"/> <cybox:Observable idref="mandiant:observable-ee7ba12a-de8b-4acb-a11c-f594d78a4a34"/> <cybox:Observable idref="mandiant:observable-b8771f22-f1d2-4463-ae74-88d73877ef19"/> <cybox:Observable idref="mandiant:observable-c5f09ac4-1660-4b6f-8937-33777c039842"/> <cybox:Observable idref="mandiant:observable-d01ff7bb-1c9d-4f2d-a2e3-93a2ae7c74a8"/> <cybox:Observable idref="mandiant:observable-104d1ce8-162c-455b-9b95-c9f6018ea13e"/> <cybox:Observable idref="mandiant:observable-ccd58757-ad49-4dc4-b512-11eca443e3be"/> <cybox:Observable idref="mandiant:observable-138cc173-f5bb-4c34-afae-990053f4cffd"/> <cybox:Observable idref="mandiant:observable-db75116b-1bf3-413e-a21c-ccf4688b7ff5"/> <cybox:Observable idref="mandiant:observable-1bdaae9c-3cb8-4e09-a694-f3afa52df863"/> <cybox:Observable idref="mandiant:observable-6b1dc651-19bc-4ad1-9e1b-74c5ce9cbc98"/> <cybox:Observable idref="mandiant:observable-83e1f85b-23fd-425e-93d9-bbc2c37c400e"/> <cybox:Observable idref="mandiant:observable-93bf23a9-e338-4ecf-8388-06126c4d3cd8"/> <cybox:Observable idref="mandiant:observable-aa6dea2a-9056-479f-88ef-b0a3cbeaa455"/> <cybox:Observable idref="mandiant:observable-4a0ce12a-e900-4c4d-99d6-4b122731c360"/> <cybox:Observable idref="mandiant:observable-df910c86-06cf-44ea-8185-8c0c96e81f8b"/> <cybox:Observable idref="mandiant:observable-abb7dbc2-f22e-4952-acf5-618febc53f4f"/> <cybox:Observable idref="mandiant:observable-30af6eea-cea6-4f14-b744-bf9a8f703f1a"/> <cybox:Observable idref="mandiant:observable-a372d9ff-4aaf-41d1-ba44-c6d033f505da"/> <cybox:Observable idref="mandiant:observable-bce74167-9b44-4df0-a39f-3a3c7277e83e"/> <cybox:Observable idref="mandiant:observable-cabd44e6-983a-4bca-a6fa-4c61fa033bdb"/> <cybox:Observable idref="mandiant:observable-0193b5d9-b3bc-4900-a590-862b975a239f"/> <cybox:Observable idref="mandiant:observable-6879a73c-c49b-4413-892c-499134f0114d"/> <cybox:Observable idref="mandiant:observable-d85d6ef0-4773-43a3-8e85-0216654f565f"/> <cybox:Observable idref="mandiant:observable-502db973-1af6-4bbb-a851-466c92105d2c"/> <cybox:Observable idref="mandiant:observable-8be65eaf-2d7c-4e62-9bfa-17d9fd775ee8"/> <cybox:Observable idref="mandiant:observable-4c462c80-0f77-4007-8f2d-a1f78c2afc81"/> <cybox:Observable idref="mandiant:observable-563bf0ce-e0ee-4340-b484-33ddf3f83eb5"/> <cybox:Observable idref="mandiant:observable-746cc7d0-76e2-43c5-ae3d-ff6620621228"/> <cybox:Observable idref="mandiant:observable-6b11ff12-d96c-4ae8-a2be-9fb5c59fa698"/> <cybox:Observable idref="mandiant:observable-f0677089-a8c4-467c-bfb5-5b3b07babdd2"/> <cybox:Observable idref="mandiant:observable-477c3d89-6041-4b2e-997d-f61a4a31c005"/> <cybox:Observable idref="mandiant:observable-c41366a8-2659-4319-bc47-09b215b7e8a4"/> <cybox:Observable idref="mandiant:observable-6b875024-ebe6-4ea9-8708-2ed280651413"/> <cybox:Observable idref="mandiant:observable-b4dcbe3f-63e6-42d5-b10e-3f2f3c999e8a"/> <cybox:Observable idref="mandiant:observable-976581b3-2c09-4da6-86cf-1b5546901bd6"/> <cybox:Observable idref="mandiant:observable-aa4a91e8-493d-4b0c-9c99-af4ef5336a8f"/> <cybox:Observable idref="mandiant:observable-c9215163-4611-4905-9288-4f7d732d3f55"/> <cybox:Observable idref="mandiant:observable-a4195997-7509-4b3f-b824-1d650217b5d2"/> <cybox:Observable idref="mandiant:observable-bb93c805-8268-467a-b4a2-64f40dfc1e23"/> <cybox:Observable idref="mandiant:observable-671043a6-7b1f-414f-983e-03352d8f30e0"/> <cybox:Observable idref="mandiant:observable-cd95c08b-d8bd-4889-b4f5-b189aa7fb825"/> <cybox:Observable idref="mandiant:observable-a6c4ff07-6162-431c-ab3f-be5f8bab5c8c"/> <cybox:Observable idref="mandiant:observable-e944fb78-bb15-4294-9480-17256f077d78"/> <cybox:Observable idref="mandiant:observable-64fdc9f8-7608-42db-9087-621fee4f55d0"/> <cybox:Observable idref="mandiant:observable-9ef95b84-db32-4ede-9140-656d6fb14e29"/> <cybox:Observable idref="mandiant:observable-dda930ae-86cf-4a57-85c3-2d7020e3fb9b"/> <cybox:Observable idref="mandiant:observable-851205be-9d18-44dc-8873-d3852894368d"/> <cybox:Observable idref="mandiant:observable-2625b006-e1bd-4f59-902e-9b9a9012424e"/> <cybox:Observable idref="mandiant:observable-15a688c1-a8f7-4656-9d3d-e7b7a677e85d"/> <cybox:Observable idref="mandiant:observable-f2bfc2f7-7b56-496e-9d9e-b33a5eb0e257"/> <cybox:Observable idref="mandiant:observable-5552cf1b-0cb8-486e-9f40-3ab0205d45eb"/> <cybox:Observable idref="mandiant:observable-011db5d9-e228-43d5-ae55-bc81bf98311c"/> <cybox:Observable idref="mandiant:observable-2d52025c-6954-41ac-8350-aa7574771ccc"/> <cybox:Observable idref="mandiant:observable-2f375642-db88-42fc-8394-00f58e27aa90"/> <cybox:Observable idref="mandiant:observable-f5c8c285-db9b-43c3-bcdb-44030d13e7bb"/> <cybox:Observable idref="mandiant:observable-aee33872-838c-48a9-9a65-87ea320d3ba0"/> <cybox:Observable idref="mandiant:observable-1dd90fa1-59f7-4561-a9a3-7cc8653488ee"/> <cybox:Observable idref="mandiant:observable-2a628575-8096-4a5c-bfce-ab3e3f6bff20"/> <cybox:Observable idref="mandiant:observable-ecc5e067-1ae0-413c-82f0-1a2faf521d06"/> <cybox:Observable idref="mandiant:observable-3f36b356-9c91-43aa-b829-96aa877064af"/> <cybox:Observable idref="mandiant:observable-58ae957b-fd63-4a25-912d-a8c1de6b6da8"/> <cybox:Observable idref="mandiant:observable-107c4f67-380f-4346-8cff-12ff38beff29"/> <cybox:Observable idref="mandiant:observable-3b90b833-c8d7-4ac5-bf2d-8f8c1e9e6393"/> <cybox:Observable idref="mandiant:observable-2153595f-b315-4b51-b5f9-362545a09116"/> <cybox:Observable idref="mandiant:observable-fa8b9841-e5a7-4a62-b963-cd2a010423c4"/> <cybox:Observable idref="mandiant:observable-a91a6c5d-2f12-439c-a4ca-7a815a8af6f4"/> <cybox:Observable idref="mandiant:observable-9f90a5ae-3d83-412a-926f-9e6286f39ada"/> <cybox:Observable idref="mandiant:observable-7d0cf1f1-d405-4899-8d4c-eedb4294619c"/> <cybox:Observable idref="mandiant:observable-235f4d5f-ac14-43bd-b339-2c10a1cba74c"/> <cybox:Observable idref="mandiant:observable-406bf6b6-5f28-4a0b-9d53-7965c71e90aa"/> <cybox:Observable idref="mandiant:observable-2856378e-1bc8-4803-8f38-d0a71c514b8a"/> <cybox:Observable idref="mandiant:observable-2e71e0ab-9698-4ea2-af45-3298d113d4ee"/> <cybox:Observable idref="mandiant:observable-ad323f66-7ce8-4e19-8be7-0512f116d904"/> <cybox:Observable idref="mandiant:observable-a3f38876-8b2e-41f4-ad4a-a888d8765396"/> <cybox:Observable idref="mandiant:observable-232f108f-4dd7-4125-a359-42b8211bda79"/> <cybox:Observable idref="mandiant:observable-0e1c72b5-3b5f-413a-a09f-8b10c427da94"/> <cybox:Observable idref="mandiant:observable-f8bf4f08-aa74-401c-b7cd-64258bcf842a"/> <cybox:Observable idref="mandiant:observable-e3c8c1c0-41f6-4e16-b84a-20d5a3704c68"/> <cybox:Observable idref="mandiant:observable-67832c9b-400f-4ef7-a937-c095bf005930"/> <cybox:Observable idref="mandiant:observable-ec09392d-30ec-499a-8d51-3740c3bb8977"/> <cybox:Observable idref="mandiant:observable-995c2b05-2ff3-4d72-9191-468685bc4083"/> <cybox:Observable idref="mandiant:observable-3bf8ddd5-ea93-4583-8315-6e7f541c0f25"/> <cybox:Observable idref="mandiant:observable-e1a3765f-07f0-452a-8c85-2a8f695d233e"/> <cybox:Observable idref="mandiant:observable-4c582b32-dd15-4846-bfd0-10849ea84b96"/> <cybox:Observable idref="mandiant:observable-8eaf6266-a888-44aa-8e99-2a5996800de6"/> <cybox:Observable idref="mandiant:observable-64d6efd1-9d30-43e5-b19d-5a566fe24e33"/> <cybox:Observable idref="mandiant:observable-ea553c08-c6b6-44d5-bc56-551272a5f02d"/> <cybox:Observable idref="mandiant:observable-b30a0d82-77ba-402d-b7ee-57bf5fcd3210"/> <cybox:Observable idref="mandiant:observable-2340c5fe-d2a9-4f76-9e7c-6e311434ecd1"/> <cybox:Observable idref="mandiant:observable-742493b6-9811-45db-98af-ec037cb8bec8"/> <cybox:Observable idref="mandiant:observable-266ccf83-4261-4cd1-94b2-c708e3cde982"/> <cybox:Observable idref="mandiant:observable-43394133-3171-4225-bf3f-4e54f5aa09cc"/> <cybox:Observable idref="mandiant:observable-a6782aed-077b-46c2-b353-b0bdac060e1c"/> <cybox:Observable idref="mandiant:observable-d5df9e4a-240a-4167-afcf-77904047b580"/> <cybox:Observable idref="mandiant:observable-d594ae76-2ea7-4e97-9c12-6c6fec436714"/> <cybox:Observable idref="mandiant:observable-988e9f00-1ca2-46dc-827b-c941b7b064c7"/> <cybox:Observable idref="mandiant:observable-22f5e5ee-a879-418c-8a93-68431d0820be"/> <cybox:Observable idref="mandiant:observable-23aa48b5-3860-4878-a577-e999f54db61b"/> <cybox:Observable idref="mandiant:observable-22b46407-6ff7-48e0-8fec-36198765d91c"/> <cybox:Observable idref="mandiant:observable-0dcfeba9-56b4-42ac-bc6e-9afe16141c14"/> <cybox:Observable idref="mandiant:observable-b815e8d1-0ee2-4487-9c10-b5fd3790901c"/> <cybox:Observable idref="mandiant:observable-4cc76b8d-04e8-4b1a-9e6e-ef766724ffab"/> <cybox:Observable idref="mandiant:observable-b2e338dc-bbb1-44ed-9e59-2731e237986f"/> <cybox:Observable idref="mandiant:observable-1ef89454-374e-412c-b0a7-6a6fda1c28d1"/> <cybox:Observable idref="mandiant:observable-e5f8c37b-65b1-4de2-aeed-149c90738052"/> <cybox:Observable idref="mandiant:observable-6c17777c-cf7c-47da-ae7f-7a68a33a3b52"/> <cybox:Observable idref="mandiant:observable-c39109a7-484f-4e82-9ee6-54407551d4dc"/> <cybox:Observable idref="mandiant:observable-d29a1aa7-d719-4494-8ccf-fd52ae9a6bce"/> <cybox:Observable idref="mandiant:observable-67f0c320-9f3b-4db4-a480-97284a4f3697"/> <cybox:Observable idref="mandiant:observable-7d01965d-d4fa-41a6-a085-93c853927b70"/> <cybox:Observable idref="mandiant:observable-b6679020-8901-43e3-8178-444bc67df5c3"/> <cybox:Observable idref="mandiant:observable-adc011ca-4091-43a8-8f9d-f7de0a482878"/> <cybox:Observable idref="mandiant:observable-1864f777-bdb1-4fb8-bc4d-7c02e6b05c40"/> <cybox:Observable idref="mandiant:observable-bbfaa6be-5d52-4e50-921c-6cf6ba19feea"/> <cybox:Observable idref="mandiant:observable-7320ff60-0357-4ec4-8039-12a6c15ef11f"/> <cybox:Observable idref="mandiant:observable-1237a856-97ed-4f3a-8247-66021139e0ce"/> <cybox:Observable idref="mandiant:observable-ac58fd01-8142-45a5-9e80-7193362ea4c0"/> <cybox:Observable idref="mandiant:observable-6e58b715-3ccb-439c-b52d-3e05e9628add"/> <cybox:Observable idref="mandiant:observable-01e68200-32c9-4ede-ab08-dadb78622d43"/> <cybox:Observable idref="mandiant:observable-c6a2a34d-c377-432b-ba6a-17c24b8fba9e"/> <cybox:Observable idref="mandiant:observable-8f9353f9-5455-49a8-a2c8-ab82fb50e13a"/> <cybox:Observable idref="mandiant:observable-b9f49549-e2d5-4a57-9cee-31dc460c6d61"/> <cybox:Observable idref="mandiant:observable-39bcba25-04ef-4085-8f25-7fa4fb851af4"/> <cybox:Observable idref="mandiant:observable-b5069f8e-f98f-4023-a8fd-c9f8e22ecce0"/> <cybox:Observable idref="mandiant:observable-075f433d-0494-43ba-b728-988d8258f8c9"/> <cybox:Observable idref="mandiant:observable-6a2bd203-34ac-44b4-afd9-1a36b3ccecf6"/> <cybox:Observable idref="mandiant:observable-a7bc9f0d-56cb-4563-bc1b-e140e602cf72"/> <cybox:Observable idref="mandiant:observable-d99875e3-2e4f-4cd0-87a1-b9c01bffb319"/> <cybox:Observable idref="mandiant:observable-d6d97470-7ba3-45d1-a47d-cec22a5e7127"/> <cybox:Observable idref="mandiant:observable-abba48fe-9d40-44b2-9c45-f104a23aad96"/> <cybox:Observable idref="mandiant:observable-5c2d0406-23b4-4e7c-aac5-2005bbf24476"/> <cybox:Observable idref="mandiant:observable-0af3a04c-ec24-477d-a66c-bb4294c8c04c"/> <cybox:Observable idref="mandiant:observable-c289bfec-8828-4e95-8ab8-76826afbd6a5"/> <cybox:Observable idref="mandiant:observable-86212698-a237-41d2-8f60-4c2dcf0b5504"/> <cybox:Observable idref="mandiant:observable-fcdccb0a-c867-4f14-ba94-c1a2e21da423"/> <cybox:Observable idref="mandiant:observable-3ceeb576-730b-46c7-978d-a14c53d8eecf"/> <cybox:Observable idref="mandiant:observable-e38947bf-8ad0-46eb-902e-6bba805eb1c4"/> <cybox:Observable idref="mandiant:observable-e1d4b562-5eed-4bbc-a46e-5f8601b707d5"/> <cybox:Observable idref="mandiant:observable-aa61b320-9f15-44db-b258-50c70b1dc9be"/> <cybox:Observable idref="mandiant:observable-4b47e6a7-8ea3-4dd6-b2cb-ae81bc1b34be"/> <cybox:Observable idref="mandiant:observable-ff7ba23f-cbbd-4cb2-b38a-69d537149ede"/> <cybox:Observable idref="mandiant:observable-f256b4cc-da34-47fd-ac26-0a9ea37beeb8"/> <cybox:Observable idref="mandiant:observable-e3102e66-7434-42b0-a0c7-a885c0d0c776"/> <cybox:Observable idref="mandiant:observable-59f243bc-817f-4d2b-9ca6-c3720e6cd19d"/> <cybox:Observable idref="mandiant:observable-60ebd784-a5d9-4a07-99ca-8c6cfa5cae49"/> <cybox:Observable idref="mandiant:observable-d845fd40-b501-4abd-bd5f-8f5489b967fb"/> <cybox:Observable idref="mandiant:observable-6d5a329b-8eb4-4f9d-9a50-3c9daaa1f6dc"/> <cybox:Observable idref="mandiant:observable-57874f70-3316-4391-a138-6670cd7199ff"/> <cybox:Observable idref="mandiant:observable-6c938702-2897-471a-8dcf-bbcba461ddf5"/> <cybox:Observable idref="mandiant:observable-0873a202-81e5-4558-98fb-2135116c11de"/> <cybox:Observable idref="mandiant:observable-b9e94bd8-3f1b-4fb5-a872-b0b941450091"/> <cybox:Observable idref="mandiant:observable-ae13ea96-242a-4257-8b2b-29246951cbeb"/> <cybox:Observable idref="mandiant:observable-e53f6059-c079-4fb2-a032-aab87404f472"/> <cybox:Observable idref="mandiant:observable-21f21534-d37e-4309-a349-500e5e3b3e76"/> <cybox:Observable idref="mandiant:observable-013bfa26-7131-483c-a482-bd7ba4c3f2b2"/> <cybox:Observable idref="mandiant:observable-e3453288-e183-4442-a1ea-9c9fbda12df0"/> <cybox:Observable idref="mandiant:observable-79c61b66-082d-4d30-bafd-3f158fd79bc1"/> <cybox:Observable idref="mandiant:observable-8b27ec1c-e84a-4154-9e8c-83db21293eff"/> <cybox:Observable idref="mandiant:observable-482d80c8-9f63-41c6-a77e-58022b4d72ce"/> <cybox:Observable idref="mandiant:observable-c9f2c97a-d563-46fb-936e-3c7a60afa8c6"/> <cybox:Observable idref="mandiant:observable-c44845ef-f727-4e3d-8c4c-0912bc197dc8"/> <cybox:Observable idref="mandiant:observable-09c111ba-6d61-478c-bcc1-35895d0f8f55"/> <cybox:Observable idref="mandiant:observable-bf6662c5-dd5b-4fb0-acfc-b802a2625843"/> <cybox:Observable idref="mandiant:observable-c9c1844f-52a9-4c31-b146-36a412efa812"/> <cybox:Observable idref="mandiant:observable-9ca96c25-f428-4e0b-821a-b79f96cfef31"/> <cybox:Observable idref="mandiant:observable-6c126c3b-10de-41e8-8771-e19dd5e08216"/> <cybox:Observable idref="mandiant:observable-9a35ae88-657f-4d17-a3b4-24ab2c431b9f"/> <cybox:Observable idref="mandiant:observable-d5b8426d-d3dc-4472-af8b-5de756754fb9"/> <cybox:Observable idref="mandiant:observable-9453a5ae-4a32-49a2-a126-f02a2f199d86"/> <cybox:Observable idref="mandiant:observable-a46890cd-0547-4896-91f2-9be7c932c03e"/> <cybox:Observable idref="mandiant:observable-b1cc9530-8f56-45bb-b946-33996df735e0"/> <cybox:Observable idref="mandiant:observable-e70825c8-f40f-4074-8eab-706528fb57a4"/> <cybox:Observable idref="mandiant:observable-8cca6a84-4be2-4990-ae4b-3d8c799712b1"/> <cybox:Observable idref="mandiant:observable-dd1e0af7-97b2-48ec-b096-1da579987940"/> <cybox:Observable idref="mandiant:observable-66fc18f1-5bb3-4b0b-8e16-0d6634567a91"/> <cybox:Observable idref="mandiant:observable-a11449dd-8dea-4997-88a5-57a7815eaec1"/> <cybox:Observable idref="mandiant:observable-ad056220-959c-43a3-9e13-e0069d60e741"/> <cybox:Observable idref="mandiant:observable-f92259e5-740f-4ba5-9f34-a2bfbc25b38a"/> <cybox:Observable idref="mandiant:observable-deb9172e-0195-4900-a952-251a5982fe10"/> <cybox:Observable idref="mandiant:observable-60d71b38-1bb4-40e8-8a09-7a3325e5f6d3"/> <cybox:Observable idref="mandiant:observable-543b862d-20a0-4ddd-bf50-730d14794a17"/> <cybox:Observable idref="mandiant:observable-3a9e4b9f-ac93-4bf2-ba34-86c09270c779"/> <cybox:Observable idref="mandiant:observable-dfd4c462-94cc-457d-b93d-51284a42f00f"/> <cybox:Observable idref="mandiant:observable-547535a3-8d8e-4a5a-826c-978f86c38abc"/> <cybox:Observable idref="mandiant:observable-7a6e0eae-26e3-49fd-8612-208bf903c3f1"/> <cybox:Observable idref="mandiant:observable-c39ab5e4-4523-4190-8b6f-61644a226259"/> <cybox:Observable idref="mandiant:observable-54c1ce11-02ee-40ca-8c76-5f1e06a97ec5"/> <cybox:Observable idref="mandiant:observable-7acdc274-2791-435b-b0c3-e969c6afadbd"/> <cybox:Observable idref="mandiant:observable-f0509b94-ea0a-42c2-9a43-f02a27d87364"/> <cybox:Observable idref="mandiant:observable-1a30f225-911a-4acf-ac17-57a8182f53a4"/> <cybox:Observable idref="mandiant:observable-b4e62d91-92e2-4f51-a8ce-57e666f88222"/> <cybox:Observable idref="mandiant:observable-90797ae1-4b08-46ae-b910-69fb9d68387d"/> <cybox:Observable idref="mandiant:observable-d7e82ff8-5c31-4e30-b498-0743e5c3bf57"/> <cybox:Observable idref="mandiant:observable-eb2159d6-c97a-48c5-a72b-5c722dfceba6"/> <cybox:Observable idref="mandiant:observable-c3d02108-1bd0-4004-a837-26cdb2613514"/> <cybox:Observable idref="mandiant:observable-0c74c9f2-f4e8-40ef-b3ed-ba334f8d90f5"/> <cybox:Observable idref="mandiant:observable-3b975e54-055e-4898-bab4-924386d95602"/> <cybox:Observable idref="mandiant:observable-726d364f-c99b-4b39-99fc-93bf0bfadfaa"/> <cybox:Observable idref="mandiant:observable-8de3ccee-3f41-4792-9fda-4dfe3e8b60b9"/> <cybox:Observable idref="mandiant:observable-6c66736d-98dd-4a9e-9161-0ef06daa1418"/> <cybox:Observable idref="mandiant:observable-7e966924-f0e0-492c-aa2e-a3df31a0f6c8"/> <cybox:Observable idref="mandiant:observable-eb591111-aba4-4daa-941f-d58d55c9d05a"/> <cybox:Observable idref="mandiant:observable-1e45003a-afa4-445d-87e8-9cf9c4d797b7"/> <cybox:Observable idref="mandiant:observable-a78f87f8-e80d-488f-92e4-61345d003058"/> <cybox:Observable idref="mandiant:observable-61322e9d-1845-49dd-8011-36b73a6cc97b"/> <cybox:Observable idref="mandiant:observable-ac0668a3-2f35-4119-abe1-eb8cbbfe3b44"/> <cybox:Observable idref="mandiant:observable-a8cbfc21-a3eb-4bde-a685-a0f1e5ea2a5e"/> <cybox:Observable idref="mandiant:observable-b003b81f-58fa-4d3a-a149-f20a987dbf81"/> <cybox:Observable idref="mandiant:observable-bb1b6053-253e-47f2-af14-bbb5584acee0"/> <cybox:Observable idref="mandiant:observable-67831879-a87e-4ed3-b410-af2d3190aad8"/> <cybox:Observable idref="mandiant:observable-969f2799-1c38-4a57-b00f-30680ad1474d"/> <cybox:Observable idref="mandiant:observable-b3c89c5b-0588-41a4-9e99-0d223bbe0043"/> <cybox:Observable idref="mandiant:observable-eae43782-fdbd-4af9-9483-1cef334fc95f"/> <cybox:Observable idref="mandiant:observable-9e89610f-6237-42cd-8d4a-ec3239eed773"/> <cybox:Observable idref="mandiant:observable-fdf1edff-ce6f-4481-87d9-a7856db3edf4"/> <cybox:Observable idref="mandiant:observable-4254f78c-b1a6-4259-9375-0a08b3f6f0d9"/> <cybox:Observable idref="mandiant:observable-ae01e667-05df-46d9-9e88-28be9e6f8987"/> <cybox:Observable idref="mandiant:observable-b063a250-8baf-4a76-ae59-be117722fe44"/> <cybox:Observable idref="mandiant:observable-2ee42f88-4abc-4e9b-be34-8a6a12118312"/> <cybox:Observable idref="mandiant:observable-ce82121f-ed9a-4547-a1cd-58dc5aab5d7e"/> <cybox:Observable idref="mandiant:observable-bd7de4ce-a919-4346-9fcd-3913b2a6c704"/> <cybox:Observable idref="mandiant:observable-2a434183-70dd-45ab-b559-94bbd86da2a1"/> <cybox:Observable idref="mandiant:observable-fd0e3b02-30f2-4009-a904-2778f8d4d2d9"/> <cybox:Observable idref="mandiant:observable-1037388b-59f1-4e4d-88de-a48cfde1f528"/> <cybox:Observable idref="mandiant:observable-58794dea-47d1-42ce-a362-54886bd93a06"/> <cybox:Observable idref="mandiant:observable-6b2bd2c6-fe89-41c8-ada0-fe460773cfc8"/> <cybox:Observable idref="mandiant:observable-8afd245b-da29-4682-bce9-6e559f10398e"/> <cybox:Observable idref="mandiant:observable-8860ddfb-79c0-443a-a7d6-bb1dde02d8d3"/> <cybox:Observable idref="mandiant:observable-a30e7405-19ee-4e22-915c-cd086583820b"/> <cybox:Observable idref="mandiant:observable-39570278-1742-49e8-8621-08c160bd6190"/> <cybox:Observable idref="mandiant:observable-e6f22710-6cad-4a43-a4b1-43e5c1e9e4f7"/> <cybox:Observable idref="mandiant:observable-24481fe5-4bd0-4a6b-8ed9-af76d7f951c2"/> <cybox:Observable idref="mandiant:observable-7f7ae7ac-2648-407f-9a35-ab01e0c60f28"/> <cybox:Observable idref="mandiant:observable-171f1310-70e2-4a89-abb7-97b9ebffbaf1"/> <cybox:Observable idref="mandiant:observable-51717d97-5ea0-4b1c-a587-3b79b830a4ab"/> <cybox:Observable idref="mandiant:observable-a277c190-aa06-43b5-9d91-bec23be44b0a"/> <cybox:Observable idref="mandiant:observable-006bfdc9-b5ec-41fe-8f56-b9da46952db6"/> <cybox:Observable idref="mandiant:observable-5dbd6994-6619-4b36-8834-6ab44b492e9a"/> <cybox:Observable idref="mandiant:observable-01eea5a1-0159-4488-b4a0-9f831145674b"/> <cybox:Observable idref="mandiant:observable-ae3cf14e-3fdf-4f13-a659-c07ad3e592cf"/> <cybox:Observable idref="mandiant:observable-c1d91812-c5e5-4ec3-9489-6ebef62dab2e"/> <cybox:Observable idref="mandiant:observable-fa7e328c-ebb8-4681-9c53-2fb0e20321de"/> <cybox:Observable idref="mandiant:observable-3b5fe187-58a5-4897-a335-37f1193ccb8a"/> <cybox:Observable idref="mandiant:observable-7359cdd0-ab54-46b5-8907-7ca8cd972127"/> <cybox:Observable idref="mandiant:observable-931a94fe-1d78-4a8d-a8cb-4d2c5f869067"/> <cybox:Observable idref="mandiant:observable-5f304b83-aa6e-492b-bc4a-f61fe8dce5b9"/> <cybox:Observable idref="mandiant:observable-1ba67c3d-c6ef-46ec-b38e-17b031680d47"/> <cybox:Observable idref="mandiant:observable-d287fcd5-2554-48dc-ba28-e5a5ce9944bd"/> <cybox:Observable idref="mandiant:observable-49392184-f0bc-46eb-a73d-242f1eb2a7b1"/> <cybox:Observable idref="mandiant:observable-d4805982-be75-4135-8745-0a8ff3f3b6fd"/> <cybox:Observable idref="mandiant:observable-8a2e9a48-b639-46f9-95a0-f9555491d464"/> <cybox:Observable idref="mandiant:observable-cc7d886a-6029-4024-a9c0-34f4e628e6af"/> <cybox:Observable idref="mandiant:observable-df53106c-1345-4621-91bf-561c1ba9a1d1"/> <cybox:Observable idref="mandiant:observable-2ec036c0-6d37-4da0-81d1-afa391b08e29"/> <cybox:Observable idref="mandiant:observable-78457191-42df-4f1f-9aa5-86e8dec6c27e"/> <cybox:Observable idref="mandiant:observable-ef2d888e-970a-4e01-9471-be05f7c65629"/> <cybox:Observable idref="mandiant:observable-0d9c5aa6-7fc4-4557-864d-a45e13ac7d9e"/> <cybox:Observable idref="mandiant:observable-6a1f12ac-e74a-4c2b-b7f0-dab357718c4a"/> <cybox:Observable idref="mandiant:observable-0f231d6b-482d-4ec8-abac-11560a6bd0ec"/> <cybox:Observable idref="mandiant:observable-5804edfb-9cff-4f6b-8fb8-958e93e51075"/> <cybox:Observable idref="mandiant:observable-91aa6ab0-4665-4079-991d-8752ee107e2a"/> <cybox:Observable idref="mandiant:observable-ed289b6f-5ff7-4f8a-bfcf-314c6d622e9f"/> <cybox:Observable idref="mandiant:observable-c438a0fc-bcf9-4ec2-984d-ef45da0754bd"/> <cybox:Observable idref="mandiant:observable-f1782637-48a1-45b7-b8ee-6e4b18a16d9e"/> <cybox:Observable idref="mandiant:observable-4afe37a4-f505-4ccb-8c93-ec6b267493c1"/> <cybox:Observable idref="mandiant:observable-8c062a7f-7bc9-4b73-96f2-3bcb99d7e887"/> <cybox:Observable idref="mandiant:observable-bc69c00c-3fca-4dc0-9b9e-c4346a190869"/> <cybox:Observable idref="mandiant:observable-a4506c4a-d5f1-4ba9-b4e7-1d6a1bc07ef8"/> <cybox:Observable idref="mandiant:observable-075e4622-1bd9-41ec-8311-c7b53e3fa0cb"/> <cybox:Observable idref="mandiant:observable-509b8871-ae2f-4272-b53b-b15ef75ccc69"/> <cybox:Observable idref="mandiant:observable-fd65f08c-427d-47de-9de5-7a3b95a03cef"/> <cybox:Observable idref="mandiant:observable-585179e6-9df5-4056-a530-d0b61828be5c"/> <cybox:Observable idref="mandiant:observable-e8473edc-4f1b-4595-bfe6-36baa5f384e7"/> <cybox:Observable idref="mandiant:observable-1eccf7a7-5f43-43c6-a044-7a2081956cba"/> <cybox:Observable idref="mandiant:observable-ae9ca65d-c110-4faf-9838-e4459267bd6d"/> <cybox:Observable idref="mandiant:observable-f05bd155-ab39-4426-801f-292b8846537f"/> <cybox:Observable idref="mandiant:observable-e19d5499-b305-443f-8d78-48ea3a94e2be"/> <cybox:Observable idref="mandiant:observable-192897db-af6b-457b-8ee6-6623e1d67c04"/> <cybox:Observable idref="mandiant:observable-32d59174-8af2-47d0-ad8c-e70b2e0fe98f"/> <cybox:Observable idref="mandiant:observable-2b40d825-a824-4c10-be36-79a78aa565ae"/> <cybox:Observable idref="mandiant:observable-93cabc49-f7ec-49df-a76b-ffa513e60f11"/> <cybox:Observable idref="mandiant:observable-9604e409-31d1-415a-9de8-28ae43b742a6"/> <cybox:Observable idref="mandiant:observable-8847fb0b-9aba-4566-98b5-ecd0ddac90b2"/> <cybox:Observable idref="mandiant:observable-fbca176e-559e-4f3c-aff4-d0ca1f86fc84"/> <cybox:Observable idref="mandiant:observable-40e1893f-d2c4-48be-b82e-86a639cd118b"/> <cybox:Observable idref="mandiant:observable-4a4ef845-eb78-40b2-ba62-085dd7aa2ba7"/> <cybox:Observable idref="mandiant:observable-ea804d1c-bea8-4cd0-bf18-21803cdc3bea"/> <cybox:Observable idref="mandiant:observable-aa1efaca-16e9-4e11-ac3b-7a76485428e6"/> <cybox:Observable idref="mandiant:observable-4309d7f0-d428-40bf-9ccc-f57bd5ec5c15"/> <cybox:Observable idref="mandiant:observable-c13a3970-9d13-4076-8051-3c95bc6d4654"/> <cybox:Observable idref="mandiant:observable-927e6047-70dc-4555-95a8-6bf87d180699"/> <cybox:Observable idref="mandiant:observable-5cb7cf7a-6525-4527-98bd-c23d406e8344"/> <cybox:Observable idref="mandiant:observable-ad2d7118-d7b6-43ab-87f5-e4e5da4998f2"/> <cybox:Observable idref="mandiant:observable-316de897-a537-40a5-92d6-c8d39d01e369"/> <cybox:Observable idref="mandiant:observable-00954932-3781-4dde-8b56-49b07c138769"/> <cybox:Observable idref="mandiant:observable-a0fb19d9-ae52-497b-a458-6b813ef0e61c"/> <cybox:Observable idref="mandiant:observable-84fd5ae0-8950-49d6-9146-0084dcb325b3"/> <cybox:Observable idref="mandiant:observable-0f9d600b-a0fb-4365-85e9-cde0ff7a8764"/> <cybox:Observable idref="mandiant:observable-f3829e1c-ecec-4417-8d7f-ca2ee9e2340c"/> <cybox:Observable idref="mandiant:observable-d4c4f19d-f4cf-42f5-b992-afcf265abead"/> <cybox:Observable idref="mandiant:observable-96156a9a-30f4-4c37-801f-0eeab2b36a1b"/> <cybox:Observable idref="mandiant:observable-ecc8b9aa-f0d4-4c20-93b5-b187027bea87"/> <cybox:Observable idref="mandiant:observable-6118837d-342e-4e35-b33d-659cf490bf21"/> <cybox:Observable idref="mandiant:observable-480c1386-9e4c-46aa-9f1e-a085471ce68f"/> <cybox:Observable idref="mandiant:observable-e715daf3-6105-4523-9482-c1a8c5e0f3ef"/> <cybox:Observable idref="mandiant:observable-f5bf8270-d823-4b2c-a4cb-3db5bbc86e60"/> <cybox:Observable idref="mandiant:observable-63198f99-b40b-4b0a-a081-74bdb013b900"/> <cybox:Observable idref="mandiant:observable-1565b3aa-e4bc-413f-a6fd-124549f717de"/> <cybox:Observable idref="mandiant:observable-fd10f311-93b1-458c-8dab-c87fe3459604"/> <cybox:Observable idref="mandiant:observable-607c5240-a2f0-47cb-bbf6-41d7645d5a08"/> <cybox:Observable idref="mandiant:observable-0b4afa3d-b0d7-4048-a2fd-cfff23620215"/> <cybox:Observable idref="mandiant:observable-79394e6b-e5a9-4781-9564-ac02885bdac4"/> <cybox:Observable idref="mandiant:observable-9c903320-a055-42e2-87f2-5d9bed5e7c88"/> <cybox:Observable idref="mandiant:observable-2094bbd3-ad99-43ce-bf7c-889c2a8c2418"/> <cybox:Observable idref="mandiant:observable-fa65ea27-a51c-48b3-8443-adf11911b9e5"/> <cybox:Observable idref="mandiant:observable-4472c6c0-67a5-4ec3-8b92-32b3a5feb2ba"/> <cybox:Observable idref="mandiant:observable-b0da821a-5158-4932-9d17-6b9a2741ea42"/> <cybox:Observable idref="mandiant:observable-09c12648-0ba6-457f-906c-50c06c8ccc2f"/> <cybox:Observable idref="mandiant:observable-b5b1888f-0a8f-465e-b4c7-584ae6abd91e"/> <cybox:Observable idref="mandiant:observable-4a69f184-ffc1-4954-9088-c65885210f12"/> <cybox:Observable idref="mandiant:observable-3cb5b75d-fef6-4f87-b54a-6211681e6a17"/> <cybox:Observable idref="mandiant:observable-ceb77e2b-3bbc-4df9-80a2-0af64730db50"/> <cybox:Observable idref="mandiant:observable-6905fe9f-e540-4163-8949-c93766ab7fa1"/> <cybox:Observable idref="mandiant:observable-439bc68a-8b73-4144-a278-6394ae2cd3ec"/> <cybox:Observable idref="mandiant:observable-64ced20c-d90a-4cf7-b56b-22f9cee399b1"/> <cybox:Observable idref="mandiant:observable-a5bd1885-c9e3-485e-97ff-8bad5ac2a019"/> <cybox:Observable idref="mandiant:observable-e0d96356-a782-4a50-b27f-885aef4dc2cb"/> <cybox:Observable idref="mandiant:observable-e478b685-9cd4-4c72-810d-6c5083baaf1e"/> <cybox:Observable idref="mandiant:observable-ba448443-530d-43e5-bddc-22b67729b558"/> <cybox:Observable idref="mandiant:observable-7bd52e8a-4fba-440b-a37a-966154ea923c"/> <cybox:Observable idref="mandiant:observable-68818743-99a5-4a86-9169-0203287e95cd"/> <cybox:Observable idref="mandiant:observable-3073f4f3-afc7-44ec-9db4-c3f01d8f2d7b"/> <cybox:Observable idref="mandiant:observable-bfb57e09-9afc-41d2-9220-9b5929713be7"/> <cybox:Observable idref="mandiant:observable-6f828f74-3e9a-482f-9793-c63022c5767f"/> <cybox:Observable idref="mandiant:observable-90fe8a13-a795-496e-9f8b-eb1bb8700b2c"/> <cybox:Observable idref="mandiant:observable-400a5360-8a95-46dc-8ee6-6fe7adb660e9"/> <cybox:Observable idref="mandiant:observable-bc4dfd12-d672-4fab-9132-b55a3c6d4ac5"/> <cybox:Observable idref="mandiant:observable-a1c9a5b8-5ed1-4b09-833a-11374857a2b6"/> <cybox:Observable idref="mandiant:observable-e6366973-065a-4b16-96c3-65fe63516c92"/> <cybox:Observable idref="mandiant:observable-df9e93cf-78a2-4237-97fb-d0059f7e67d0"/> <cybox:Observable idref="mandiant:observable-6bc4d8fc-f0b6-450e-8c02-3303a2651d05"/> <cybox:Observable idref="mandiant:observable-5c6db611-de7f-4071-93a2-d595d3c76007"/> <cybox:Observable idref="mandiant:observable-5448f210-c950-4dfe-8e78-ac71cd039027"/> <cybox:Observable idref="mandiant:observable-6f7a2020-2697-40d9-b21e-cc3fef4aa00c"/> <cybox:Observable idref="mandiant:observable-26fd253a-1ad5-4d8b-a82f-2b216f57ff69"/> <cybox:Observable idref="mandiant:observable-bb8b77e4-6f6a-4a65-8b00-dff78daae9c8"/> <cybox:Observable idref="mandiant:observable-7e8b335f-0b64-47ba-88d8-ea1dce36434b"/> <cybox:Observable idref="mandiant:observable-6d795759-4f91-481e-b703-916562a66e38"/> <cybox:Observable idref="mandiant:observable-e3781e40-e361-4242-9103-6041cd237b74"/> <cybox:Observable idref="mandiant:observable-5a539f71-bae5-431f-b1d2-257d6e336a73"/> <cybox:Observable idref="mandiant:observable-2e1db2cb-cd4e-449d-a781-b64099ddc80f"/> <cybox:Observable idref="mandiant:observable-98b7cc6e-a2b9-45ac-b649-fb727f776d4e"/> <cybox:Observable idref="mandiant:observable-64704b56-5cbe-460d-b1c7-cfd5a563c7be"/> <cybox:Observable idref="mandiant:observable-059c4f3a-8904-4098-8e80-53498e22d5db"/> <cybox:Observable idref="mandiant:observable-d86bf4e1-7aa8-40c4-a3e0-9dabb7d11499"/> <cybox:Observable idref="mandiant:observable-9815b953-8d3a-467f-a6c7-a9ae09a2a854"/> <cybox:Observable idref="mandiant:observable-f7af9381-5d0a-4016-ac9c-cfb0202fead9"/> <cybox:Observable idref="mandiant:observable-504afe0f-f5ce-4fa5-a455-8f606460d146"/> <cybox:Observable idref="mandiant:observable-ee9a4b38-02f8-4d6b-829e-0f4847cb1bc1"/> <cybox:Observable idref="mandiant:observable-fbddb631-4962-45ca-a475-e89b9bd23035"/> <cybox:Observable idref="mandiant:observable-5d516439-8d06-4276-bcc7-979cedd88ad3"/> <cybox:Observable idref="mandiant:observable-76070a38-8e25-416a-a923-48bf21bf78cc"/> <cybox:Observable idref="mandiant:observable-b86c6d5d-7d65-4465-b7b2-7e14dee9ceac"/> <cybox:Observable idref="mandiant:observable-26e65acb-3669-4e4b-8c7f-3199503b4782"/> <cybox:Observable idref="mandiant:observable-d7d17a34-79a7-4fb8-83ee-cc644f714d73"/> <cybox:Observable idref="mandiant:observable-f325e850-af17-48b8-9d63-93d566b4921d"/> <cybox:Observable idref="mandiant:observable-e721a677-95eb-4108-8234-4c6759828160"/> <cybox:Observable idref="mandiant:observable-33617a49-d597-413b-bc42-bc2f236b8151"/> <cybox:Observable idref="mandiant:observable-6d5607d4-78ec-4f19-b409-e9bf720c59f7"/> <cybox:Observable idref="mandiant:observable-2eae3162-26d1-4d5d-8996-5d0a72622bd7"/> <cybox:Observable idref="mandiant:observable-4f79f0bc-4158-4655-86a5-f1124fc98ec3"/> <cybox:Observable idref="mandiant:observable-f2734f96-48de-467b-a208-afe9a7ce5627"/> <cybox:Observable idref="mandiant:observable-08c29e42-37b4-4ccf-8a30-42de9cf10c99"/> <cybox:Observable idref="mandiant:observable-40975d2a-84d4-45e5-88cb-4edbcc603dd2"/> <cybox:Observable idref="mandiant:observable-8489fa8e-7307-49d1-8c9e-b18f80ed1293"/> <cybox:Observable idref="mandiant:observable-69b8a457-a26b-461c-ab0b-96804c2f1225"/> <cybox:Observable idref="mandiant:observable-30b15d42-1341-4e09-b316-40a04761c43d"/> <cybox:Observable idref="mandiant:observable-c774aebb-f8e6-44df-ae9c-f880a569b26f"/> <cybox:Observable idref="mandiant:observable-830ba94d-c674-4e12-8081-407fc389addf"/> <cybox:Observable idref="mandiant:observable-6333732c-4657-4958-835c-36daca9af6ed"/> <cybox:Observable idref="mandiant:observable-b07056d6-e131-434c-9af3-74368fc71510"/> <cybox:Observable idref="mandiant:observable-e2677e17-1963-4179-b898-1de300cf27cf"/> <cybox:Observable idref="mandiant:observable-76af7981-e44c-4490-a615-260ab230a49e"/> <cybox:Observable idref="mandiant:observable-c473ff23-c8cb-42c3-9a8a-a940fcf4b5c1"/> <cybox:Observable idref="mandiant:observable-9c1f6d11-e8cf-4b4f-b606-a564cd97f6d8"/> <cybox:Observable idref="mandiant:observable-e3ac4faf-98bd-4dba-8b93-f50e5d3b1172"/> <cybox:Observable idref="mandiant:observable-755d1883-a0c5-44d4-ab7c-39e2ec3fd652"/> <cybox:Observable idref="mandiant:observable-f855af0a-b1ad-46e0-bc0e-277487a85b10"/> <cybox:Observable idref="mandiant:observable-6d1a3f22-3ac3-4aa0-b79e-7def175feb45"/> <cybox:Observable idref="mandiant:observable-2cb3e45d-cd9f-47a0-8835-56a44d25772e"/> <cybox:Observable idref="mandiant:observable-c30bad26-dbc2-4973-90ca-0cca523d8d1f"/> <cybox:Observable idref="mandiant:observable-c6c6738d-7fbe-493e-92d4-7e5b109e7f1c"/> <cybox:Observable idref="mandiant:observable-c6aff098-b912-455f-b82e-94a86ebe03d9"/> <cybox:Observable idref="mandiant:observable-a44c88fc-776f-456a-857d-e2743c0c1fea"/> <cybox:Observable idref="mandiant:observable-89f1b209-555b-4d70-a20a-2175c9a37675"/> <cybox:Observable idref="mandiant:observable-70707d0d-ccb6-43d8-97fd-35213053ad58"/> <cybox:Observable idref="mandiant:observable-c347c361-b4e8-481c-8b60-cbc68f653995"/> <cybox:Observable idref="mandiant:observable-f55a68e0-97af-4121-85ee-8b23feb6f29a"/> <cybox:Observable idref="mandiant:observable-a3c79f50-830f-4dc8-9a16-eef39da3de28"/> <cybox:Observable idref="mandiant:observable-f8d46e9a-c9d4-4670-8ef4-783ef90a1a7c"/> <cybox:Observable idref="mandiant:observable-c4e9f524-7b23-4fb5-811c-ff5509b39cef"/> <cybox:Observable idref="mandiant:observable-6e42dc99-1133-4272-86a1-15df3f321894"/> <cybox:Observable idref="mandiant:observable-5b78b277-0803-4c51-98fc-ae8be7137ad0"/> <cybox:Observable idref="mandiant:observable-a3e02563-7734-4a6f-a862-44da86216a5d"/> <cybox:Observable idref="mandiant:observable-d871da09-7aa9-45e2-82e0-337091965a78"/> <cybox:Observable idref="mandiant:observable-f5e529a5-1060-462d-a9a9-5b0557dfb725"/> <cybox:Observable idref="mandiant:observable-fbc61ac5-4068-4991-944f-e67d2cddb450"/> <cybox:Observable idref="mandiant:observable-f3686bbb-05ad-4b39-a841-954e68bdee52"/> <cybox:Observable idref="mandiant:observable-6f1d0d6d-c088-44c0-98c4-7d55d0d3f26f"/> <cybox:Observable idref="mandiant:observable-f9e82296-0e4e-41be-8521-0a00db0673d0"/> <cybox:Observable idref="mandiant:observable-470dfadb-8598-4cd3-9590-79f90990d336"/> <cybox:Observable idref="mandiant:observable-cb47ec14-afd2-4279-bdb4-1d50313417e2"/> <cybox:Observable idref="mandiant:observable-049d6404-9e41-40e2-ac1a-cee70614ba11"/> <cybox:Observable idref="mandiant:observable-f17913a8-dd0f-45c6-9d35-46aa12027e52"/> <cybox:Observable idref="mandiant:observable-7ae0904e-0c1b-4edd-abe2-4530f1f9805f"/> <cybox:Observable idref="mandiant:observable-41cbafda-9421-4906-981d-755ab6e2dbd6"/> <cybox:Observable idref="mandiant:observable-dcc93edb-8b87-4aa6-b575-ecf5b6a6bca8"/> <cybox:Observable idref="mandiant:observable-3bba770a-9c1c-4549-b365-7f87e6a085b4"/> <cybox:Observable idref="mandiant:observable-493a31bb-eeff-42f6-b431-092d4b671c73"/> <cybox:Observable idref="mandiant:observable-474a5de6-98dd-4d75-855a-644a00f3e503"/> <cybox:Observable idref="mandiant:observable-b66e553d-40f6-41e0-8650-d369b1b5f1fa"/> <cybox:Observable idref="mandiant:observable-f1b414e8-33a0-4b0b-a277-3dfe614507da"/> <cybox:Observable idref="mandiant:observable-ef237e9b-e7e6-4247-a161-6c022117ec38"/> <cybox:Observable idref="mandiant:observable-c2bb85ee-a51e-4f66-8f99-cef724ce674a"/> <cybox:Observable idref="mandiant:observable-7cdeed2e-3ac5-4c2b-a9bc-1a4844bc0e33"/> <cybox:Observable idref="mandiant:observable-c9aaa5c9-f78e-4c89-9ffc-92e5505e681f"/> <cybox:Observable idref="mandiant:observable-329c1481-806a-4d9a-808d-e9af0c8cae88"/> <cybox:Observable idref="mandiant:observable-b4e1239a-763e-452c-bf85-dccfe33808c8"/> <cybox:Observable idref="mandiant:observable-83e63fa0-c005-4a03-a0de-1078f44a7c1f"/> <cybox:Observable idref="mandiant:observable-b146b5e8-c04f-4123-bc7b-edf4cb9eabe6"/> <cybox:Observable idref="mandiant:observable-4c3c445c-15f5-45a4-b217-f22704f4ed8a"/> <cybox:Observable idref="mandiant:observable-9c4ed6da-dfa1-4175-9cc6-66d8b6afbcfa"/> <cybox:Observable idref="mandiant:observable-b7357a94-7643-409a-835a-fc62b2f48ace"/> <cybox:Observable idref="mandiant:observable-8d9733d2-42ba-4e05-888b-14207129b441"/> <cybox:Observable idref="mandiant:observable-8523db29-989c-467c-9381-687812c2f1c3"/> <cybox:Observable idref="mandiant:observable-a2bd125b-601b-4d22-8b3b-d1683a08038b"/> <cybox:Observable idref="mandiant:observable-678bd135-d0cf-4e03-aaa0-e99df146301d"/> <cybox:Observable idref="mandiant:observable-91a03df2-d857-4ad2-97ad-3da1f760e57b"/> <cybox:Observable idref="mandiant:observable-1339f61d-cefb-439a-8ef3-0023d642ee35"/> <cybox:Observable idref="mandiant:observable-4fc2a0a8-6643-430e-a732-400596bf484b"/> <cybox:Observable idref="mandiant:observable-2cb48a12-7126-426e-ba71-939082a4513d"/> <cybox:Observable idref="mandiant:observable-6c92db0d-d72b-4efa-999a-9b21ca39a30a"/> <cybox:Observable idref="mandiant:observable-900ac2e8-159b-4ff2-875a-6413b7e39033"/> <cybox:Observable idref="mandiant:observable-aa0b5b1e-79b3-4b33-b2a5-440e4fb1d84a"/> <cybox:Observable idref="mandiant:observable-cf6c29ee-7466-4c54-9dfd-5d9242a67584"/> <cybox:Observable idref="mandiant:observable-b09fe8fc-790f-4e45-9a0c-dcaf88df1380"/> <cybox:Observable idref="mandiant:observable-cfcc75f6-0fcf-4046-ae45-7e2963e8c2fe"/> <cybox:Observable idref="mandiant:observable-4646ce95-63f7-4e9c-ac28-8178ca526e7d"/> <cybox:Observable idref="mandiant:observable-5809d567-79d0-40e4-8dfe-0474a3e0af58"/> <cybox:Observable idref="mandiant:observable-14557f7d-bedc-4722-8798-5ca8d88ae46c"/> <cybox:Observable idref="mandiant:observable-97929c8b-7dab-4004-a1de-0d6d49e2aca5"/> <cybox:Observable idref="mandiant:observable-ea0db72c-9809-487d-a72b-cbdad623497a"/> <cybox:Observable idref="mandiant:observable-232a1e95-18af-4ed1-afcf-53c8e51a31e2"/> <cybox:Observable idref="mandiant:observable-a0af6b2b-7b7a-41e3-a532-106a6bbe8068"/> <cybox:Observable idref="mandiant:observable-4ecee824-7a09-4905-8a03-d1d77e31ef98"/> <cybox:Observable idref="mandiant:observable-b7df8f63-0e68-4545-9608-49db64dc842a"/> <cybox:Observable idref="mandiant:observable-865dc2e5-3c94-4862-a9b7-3c44fc0fb16e"/> <cybox:Observable idref="mandiant:observable-e7ff6c13-a488-4c9a-8110-97fa63b1bd1e"/> <cybox:Observable idref="mandiant:observable-a0be44a8-8140-4f5b-a0aa-d165bd5b6c15"/> <cybox:Observable idref="mandiant:observable-8e424f3a-0c4b-4650-b157-a6656050a401"/> <cybox:Observable idref="mandiant:observable-a48c9093-ab8e-4001-a381-013299bbefc1"/> <cybox:Observable idref="mandiant:observable-ca714746-cd7b-4d9d-9698-913df4ebc11d"/> <cybox:Observable idref="mandiant:observable-17565c08-0d52-45da-86d6-4d2b784e00e4"/> <cybox:Observable idref="mandiant:observable-851ea564-2c94-4620-b15c-3f9d76f02a74"/> <cybox:Observable idref="mandiant:observable-9017943d-196c-4858-923d-dffcebd77bf6"/> <cybox:Observable idref="mandiant:observable-feaf6521-3217-48f9-b2e3-8a3e465fe764"/> <cybox:Observable idref="mandiant:observable-b1ebe4ef-4f07-4e17-a1eb-5d371baec782"/> <cybox:Observable idref="mandiant:observable-75d8211b-d323-4b7b-a6a9-b37eb6dcf9e5"/> <cybox:Observable idref="mandiant:observable-c5772131-a3ab-4680-9fd1-784c452e045c"/> <cybox:Observable idref="mandiant:observable-c97e7b64-7ab6-46e8-bae1-9740ebd2624d"/> <cybox:Observable idref="mandiant:observable-71e7258d-3bd9-4e8e-8be8-1a98765f0223"/> <cybox:Observable idref="mandiant:observable-a708371e-4f3e-4e91-bb1d-35d0ce21b866"/> <cybox:Observable idref="mandiant:observable-af49aaa4-20e0-4d53-8c5b-ef0ef0e2faad"/> <cybox:Observable idref="mandiant:observable-106e85c9-31cf-4805-b69b-e32d9770acca"/> <cybox:Observable idref="mandiant:observable-c97a502a-1674-4f08-8a5f-3b1f90ad8381"/> <cybox:Observable idref="mandiant:observable-bb7b444f-3c8f-4f6e-9551-315d3dc75a9c"/> <cybox:Observable idref="mandiant:observable-d2554707-192f-4f1e-8f4a-caa41d2c9db5"/> <cybox:Observable idref="mandiant:observable-1cd3f828-f29f-43c6-80b5-5564ac64e24e"/> <cybox:Observable idref="mandiant:observable-e5ab65e1-6116-4dc4-8838-11d79b05317f"/> <cybox:Observable idref="mandiant:observable-2c4d7c13-218b-42a3-9883-7755bd88ced1"/> <cybox:Observable idref="mandiant:observable-87b5674b-3f4a-4a1a-a583-c363caf0844a"/> <cybox:Observable idref="mandiant:observable-a6addc82-4546-40f4-9e2c-1838b8abe6d2"/> <cybox:Observable idref="mandiant:observable-441d6825-81cb-46a2-b5fd-50733dea2336"/> <cybox:Observable idref="mandiant:observable-b76feb62-b32e-426e-9110-9f8759417ce3"/> <cybox:Observable idref="mandiant:observable-b8d2eb7c-f294-4040-8077-246b13d59a63"/> <cybox:Observable idref="mandiant:observable-553117f8-bd7c-4aa0-914a-6377de0f3463"/> <cybox:Observable idref="mandiant:observable-3c791684-0fc8-4bea-a715-10d8ae67cc19"/> <cybox:Observable idref="mandiant:observable-d05fa418-b565-44c7-ae55-b9cf7cf00cb7"/> <cybox:Observable idref="mandiant:observable-53db6475-a3ea-4afd-a3ee-c19b0b9d6a58"/> <cybox:Observable idref="mandiant:observable-f2f0494e-c4b3-4349-ba9b-b97727f7f79b"/> <cybox:Observable idref="mandiant:observable-d6ef728a-e155-4323-9a74-6be5710fa548"/> <cybox:Observable idref="mandiant:observable-3ea0215a-6b3d-4a2f-b782-4a75ef23a07a"/> <cybox:Observable idref="mandiant:observable-73319afd-e722-4ac4-a163-6d3d4c1bcf15"/> <cybox:Observable idref="mandiant:observable-0c29ca36-997a-4d5b-9a10-5927b5359231"/> <cybox:Observable idref="mandiant:observable-82573a72-d55b-44af-abbb-bbf832d45fa6"/> <cybox:Observable idref="mandiant:observable-fb13b7ac-aab0-4fe5-8858-bccd055d9b90"/> <cybox:Observable idref="mandiant:observable-196599a8-1153-431b-96f7-fe9ef358d268"/> <cybox:Observable idref="mandiant:observable-198e1c60-b090-47dc-a38f-bb7524d14397"/> <cybox:Observable idref="mandiant:observable-24f6b24b-9d09-4690-be1b-06459464dd60"/> <cybox:Observable idref="mandiant:observable-eae9116e-675d-4590-af90-435206d5e280"/> <cybox:Observable idref="mandiant:observable-6c1ffc0d-09dd-438c-917b-e7d2224a7238"/> <cybox:Observable idref="mandiant:observable-c5a8b6e5-74c5-491a-81a9-3d08f61c8697"/> <cybox:Observable idref="mandiant:observable-d51048c3-30f6-490e-83f7-eb2df1e87a41"/> <cybox:Observable idref="mandiant:observable-7e84c04a-6f3d-41d0-a130-5bed5cd04520"/> <cybox:Observable idref="mandiant:observable-2727239c-d01c-437c-a7e3-2940b1fafed4"/> <cybox:Observable idref="mandiant:observable-c523c024-241d-4cc9-9b85-37c86be82a20"/> <cybox:Observable idref="mandiant:observable-ff7636d0-a8c6-42da-ab0e-39157ed18d0e"/> <cybox:Observable idref="mandiant:observable-b548d814-ad9c-4194-9972-b7d4bb357171"/> <cybox:Observable idref="mandiant:observable-ebca2297-71eb-41ae-9ed0-082400a4f867"/> <cybox:Observable idref="mandiant:observable-82cf46bf-bfbd-4569-b211-fe00bafbad8c"/> <cybox:Observable idref="mandiant:observable-b05ac8bd-8653-4313-87ac-8cf0ecd1fd52"/> <cybox:Observable idref="mandiant:observable-707b6b73-3139-429c-821d-134dfd260c96"/> <cybox:Observable idref="mandiant:observable-f1dd09ad-62f2-46b0-98fb-f9cafb77af1f"/> <cybox:Observable idref="mandiant:observable-dbbc43f7-f85e-45e1-b9b9-581208823275"/> <cybox:Observable idref="mandiant:observable-559b6918-c898-4778-9215-3f21039fd44a"/> <cybox:Observable idref="mandiant:observable-3711a61a-bc46-4ad8-aafa-17f9318b5010"/> <cybox:Observable idref="mandiant:observable-2df54931-2584-47e8-81f4-82058940b2e5"/> <cybox:Observable idref="mandiant:observable-905eacc6-46e0-4a70-947d-d7ca8e43e3e4"/> <cybox:Observable idref="mandiant:observable-639f8281-4437-48ed-9f4a-1c6f5e6eeff7"/> <cybox:Observable idref="mandiant:observable-814200f0-af78-4719-a82f-341dfa71ee57"/> <cybox:Observable idref="mandiant:observable-16c597e8-4b94-4edb-938f-0810e9ef2690"/> <cybox:Observable idref="mandiant:observable-0740cb32-98d1-489c-9c55-fcb686453f8a"/> <cybox:Observable idref="mandiant:observable-cac202fa-8555-433d-8023-5f79fcfc03a4"/> <cybox:Observable idref="mandiant:observable-8c293eb7-075b-4104-bbc0-41a76cea08be"/> <cybox:Observable idref="mandiant:observable-b2282f60-b90a-44ee-91cb-59f0f0b962ec"/> <cybox:Observable idref="mandiant:observable-053ecb99-8eb1-4e92-8fd0-1d8154375268"/> <cybox:Observable idref="mandiant:observable-807e98db-f7b4-418a-aed6-72dc19f05d76"/> <cybox:Observable idref="mandiant:observable-c8645b0c-d8bc-4ff6-80bd-71a2de3a0bb9"/> <cybox:Observable idref="mandiant:observable-6d5c7154-48eb-4792-baf2-e6d91f6cf36d"/> <cybox:Observable idref="mandiant:observable-bb66a3f5-f29d-4d55-b732-338fb1b701b5"/> <cybox:Observable idref="mandiant:observable-2672fb23-8070-4b6e-ba51-383087900160"/> <cybox:Observable idref="mandiant:observable-76c4f060-bd17-4e8d-aae1-4d70dd565d78"/> <cybox:Observable idref="mandiant:observable-bcbcaa06-a184-4c65-aa5f-74ab8be16212"/> <cybox:Observable idref="mandiant:observable-5d051b62-04bc-4b61-8670-425f975bf378"/> <cybox:Observable idref="mandiant:observable-7d5b5ff3-41be-4d24-9c3e-c7723c1ae807"/> <cybox:Observable idref="mandiant:observable-036dffea-62da-41c1-bf3f-5367d5bf536a"/> <cybox:Observable idref="mandiant:observable-cf7ef16f-a838-4e17-a21f-551c7c737858"/> <cybox:Observable idref="mandiant:observable-75929f3b-081f-4df0-b464-f1f256a609dc"/> <cybox:Observable idref="mandiant:observable-4fa8838e-2668-4081-a83a-fb91d8cce1a8"/> <cybox:Observable idref="mandiant:observable-b56bbb81-0344-4b4f-9d12-60765bc45bf9"/> <cybox:Observable idref="mandiant:observable-bb141ed4-e569-4ba2-a0dd-be481088d1fd"/> <cybox:Observable idref="mandiant:observable-e3d10dac-f42b-41a2-828d-c7f0df2ab24d"/> <cybox:Observable idref="mandiant:observable-4f52d963-743e-444d-885c-1222938a1849"/> <cybox:Observable idref="mandiant:observable-5f1e9bb3-2072-4dc9-bd51-175e75500e08"/> <cybox:Observable idref="mandiant:observable-3165b381-f361-47e5-bfa2-6254b9a95f92"/> <cybox:Observable idref="mandiant:observable-353086f3-f7d6-439f-8a7c-b7bf83ec4e10"/> <cybox:Observable idref="mandiant:observable-dc71ba29-82d1-494a-aedd-2f21a089406d"/> <cybox:Observable idref="mandiant:observable-22587830-8355-4949-bac1-effe145e45c8"/> <cybox:Observable idref="mandiant:observable-73f9e853-feb8-49e1-9373-c442800a3882"/> <cybox:Observable idref="mandiant:observable-f303cf23-b998-4fff-8b0f-dd427b93b00d"/> <cybox:Observable idref="mandiant:observable-c0a9f30b-42c6-489c-a1a6-d68fb32d5741"/> <cybox:Observable idref="mandiant:observable-d4cc4757-d9a0-4e3d-a9e5-93fdda1328bd"/> <cybox:Observable idref="mandiant:observable-5d96e91a-e8af-4279-aff8-f7ee1035b553"/> <cybox:Observable idref="mandiant:observable-28e36290-156b-472b-8697-1fd83214f159"/> <cybox:Observable idref="mandiant:observable-c5bacb83-ed6a-449f-8435-aaa14829020d"/> <cybox:Observable idref="mandiant:observable-fba246d4-63a9-44d8-b683-7a8873edab4b"/> <cybox:Observable idref="mandiant:observable-7cd0d0f3-629d-4d23-9be6-f0e87ac83de4"/> <cybox:Observable idref="mandiant:observable-a1ea4b28-4641-4d32-b3d9-77e88596e1e3"/> <cybox:Observable idref="mandiant:observable-25fe922f-8c85-4036-8b66-4c0a14035066"/> <cybox:Observable idref="mandiant:observable-83b80c37-dc92-4520-ab62-244cdeabeb9d"/> <cybox:Observable idref="mandiant:observable-2a32d815-3b5d-426e-b75d-1fa9d6669b19"/> <cybox:Observable idref="mandiant:observable-794fb4a0-ea6a-482f-9e0d-d247c8685518"/> <cybox:Observable idref="mandiant:observable-5a2d6053-025b-46c2-b34e-3393d058a54a"/> <cybox:Observable idref="mandiant:observable-db42b8c8-8970-455b-893f-984bcd429fa5"/> <cybox:Observable idref="mandiant:observable-fe942121-30ee-48a0-ac71-ffb77fa9419b"/> <cybox:Observable idref="mandiant:observable-d1269ce0-b8ce-4687-a57d-e912eb453a87"/> <cybox:Observable idref="mandiant:observable-73d21b20-8517-4c34-80d2-aab23275ffdb"/> <cybox:Observable idref="mandiant:observable-f6d336e8-8698-425c-bb52-39a177c16abc"/> <cybox:Observable idref="mandiant:observable-820cd5fe-38fc-46bd-8b8e-1e54123fc4c8"/> <cybox:Observable idref="mandiant:observable-16c32e93-5328-4c6e-b3d3-033276ceb53e"/> <cybox:Observable idref="mandiant:observable-31dabc58-f045-439c-8ca1-7a4cc5de75f1"/> <cybox:Observable idref="mandiant:observable-9a222096-0778-45ed-9f1b-97097308d772"/> <cybox:Observable idref="mandiant:observable-b02ded2c-f824-4146-a3f1-e6fc5f6c5599"/> <cybox:Observable idref="mandiant:observable-42542bca-6c09-4f4b-a2e5-b54d69062a84"/> <cybox:Observable idref="mandiant:observable-17942e46-f4cc-4f97-a68b-24388656b57a"/> <cybox:Observable idref="mandiant:observable-be3d5ade-520e-421f-a09b-d65dd3346ada"/> <cybox:Observable idref="mandiant:observable-01bce683-12e0-4566-aae4-8f819bfb4d6f"/> <cybox:Observable idref="mandiant:observable-c1bb4fad-f3f0-4d7a-861d-c4302e4b1f37"/> <cybox:Observable idref="mandiant:observable-7d002204-b850-4193-92d3-3016e95d59d1"/> <cybox:Observable idref="mandiant:observable-31268200-df2e-4252-8359-ae7a90433cc5"/> <cybox:Observable idref="mandiant:observable-fce682eb-b3e1-4d38-a42e-2de5eec1c850"/> <cybox:Observable idref="mandiant:observable-69718092-b9ee-45a9-822c-1eaa4a997d39"/> <cybox:Observable idref="mandiant:observable-f0aeffcd-c53d-4176-8b7d-7018c848bf6f"/> <cybox:Observable idref="mandiant:observable-b771e7b8-6f7a-4f66-8714-faf593b28b7e"/> <cybox:Observable idref="mandiant:observable-024dd82e-75ed-4574-8ca0-9c55c63e354b"/> <cybox:Observable idref="mandiant:observable-3179c759-84f6-46ca-8143-82908ebc34cd"/> <cybox:Observable idref="mandiant:observable-ef39982f-d403-4c7a-a1ba-5c598ecc8dcc"/> <cybox:Observable idref="mandiant:observable-a68353b7-e572-4766-87f9-09b5e5428fe5"/> <cybox:Observable idref="mandiant:observable-459bd1d1-b0e4-446a-931a-3471c2dd1718"/> <cybox:Observable idref="mandiant:observable-c4703fed-7e16-4d10-a9df-0edbe18fbe1c"/> <cybox:Observable idref="mandiant:observable-a19e1652-b5fd-4c7b-a201-0bdfa1bba90f"/> <cybox:Observable idref="mandiant:observable-28ad0026-1864-4eaf-96fe-3029613345f5"/> <cybox:Observable idref="mandiant:observable-b73a948f-25cf-4b6f-90bf-a5224d7edadf"/> <cybox:Observable idref="mandiant:observable-b61c3c5f-e034-47d8-bcba-c84628799458"/> <cybox:Observable idref="mandiant:observable-60f513ab-f989-41c1-b7a6-14338b505108"/> <cybox:Observable idref="mandiant:observable-24cbc42a-3990-4270-b87c-2e14ffeb17cb"/> <cybox:Observable idref="mandiant:observable-f8a37975-06eb-48f6-9ff1-72891d974715"/> <cybox:Observable idref="mandiant:observable-cdbac038-6f51-42ec-96c3-ae1bb9b0ca68"/> <cybox:Observable idref="mandiant:observable-b224b921-23c9-4cc5-968c-0f31e1a9fe53"/> <cybox:Observable idref="mandiant:observable-0600e80a-95a5-4849-abf4-f5b0f037b3a3"/> <cybox:Observable idref="mandiant:observable-8528458b-c27e-4539-87d0-740419f90bc6"/> <cybox:Observable idref="mandiant:observable-c9b8eaf1-5f27-4f7d-89fe-d34c7f5ac6f9"/> <cybox:Observable idref="mandiant:observable-4a1bbbc9-7936-40d6-bb12-ae6d0ebbef1c"/> <cybox:Observable idref="mandiant:observable-e37f6f41-81e5-41cd-b3e1-4472636750eb"/> <cybox:Observable idref="mandiant:observable-dabfafb0-f038-4c46-bae4-72c9b2c47ace"/> <cybox:Observable idref="mandiant:observable-f9ae4070-21a5-4c49-bd11-ed725122736f"/> <cybox:Observable idref="mandiant:observable-6a89b4c0-718d-4f6c-bbb2-0cfaa81360d6"/> <cybox:Observable idref="mandiant:observable-eff16361-6bcb-487f-b12f-7c7524975aa9"/> <cybox:Observable idref="mandiant:observable-055e7e38-b434-481e-827d-d46104055c40"/> <cybox:Observable idref="mandiant:observable-86a57228-9fe8-4ea9-952c-2bd01b4d79cd"/> <cybox:Observable idref="mandiant:observable-c412bc98-8edc-424b-9416-33c7011bf3b8"/> <cybox:Observable idref="mandiant:observable-8a2f5ff2-237c-4e45-835f-95b757469ed1"/> <cybox:Observable idref="mandiant:observable-3ff255fd-4cf6-4155-aaf5-de033933493e"/> <cybox:Observable idref="mandiant:observable-3409584e-e89d-4b18-8f81-c0f3a96a22b6"/> <cybox:Observable idref="mandiant:observable-271340f5-a56b-4651-950f-ffc9e77c0ca0"/> <cybox:Observable idref="mandiant:observable-b2dd815f-0016-4240-b831-7c3190aa3c0d"/> <cybox:Observable idref="mandiant:observable-d74d9b5b-58d3-4ef4-a818-c83695a2a7af"/> <cybox:Observable idref="mandiant:observable-03f0423f-c6db-4ac4-9b57-319d43ecfb99"/> <cybox:Observable idref="mandiant:observable-f2b0f996-240f-4c98-84e1-795a91af6157"/> <cybox:Observable idref="mandiant:observable-4fcc4a24-31f0-4de9-b404-19a84e785839"/> <cybox:Observable idref="mandiant:observable-0d6bc525-8980-40eb-b177-25199a431e05"/> <cybox:Observable idref="mandiant:observable-ad26d135-7c06-444c-bd9c-148152936129"/> <cybox:Observable idref="mandiant:observable-ad2b7f76-8999-4855-be06-95fe7333eab7"/> <cybox:Observable idref="mandiant:observable-f9691ac4-b7a6-4a68-8ab5-ca6d45166fca"/> <cybox:Observable idref="mandiant:observable-3168aba4-6246-44d6-a79a-cd6b067f41ad"/> <cybox:Observable idref="mandiant:observable-8fdb58e5-116a-41ff-a7d2-46e56f9439c5"/> <cybox:Observable idref="mandiant:observable-949db1fa-fc0c-41d9-90c9-ca9314c654ab"/> <cybox:Observable idref="mandiant:observable-b5419754-1d7e-4e0d-ba79-061896bf8389"/> <cybox:Observable idref="mandiant:observable-e105b49f-391e-45e7-86dd-eb2d8087e30d"/> <cybox:Observable idref="mandiant:observable-a931fac9-3d66-4f67-a96b-eac1d080a898"/> <cybox:Observable idref="mandiant:observable-40fe973a-354a-440c-9c01-793d25556721"/> <cybox:Observable idref="mandiant:observable-ccddc305-d691-4be8-9c78-333e2a036daf"/> <cybox:Observable idref="mandiant:observable-80081b94-7df9-4aef-8137-73e0c2c8eefc"/> <cybox:Observable idref="mandiant:observable-ca97b6b3-ae36-479e-b7ff-9363f3169447"/> <cybox:Observable idref="mandiant:observable-6610f26a-8c07-477c-9fa1-21dfd3050f15"/> <cybox:Observable idref="mandiant:observable-42d0ed40-0e93-4624-b28a-2f1e02b71c71"/> <cybox:Observable idref="mandiant:observable-549b908d-4d7c-42cb-bb21-ad2ca1c313fd"/> <cybox:Observable idref="mandiant:observable-f59fdba5-77be-4958-8488-a5e7a476a21c"/> <cybox:Observable idref="mandiant:observable-a7eb94d7-36d5-4b3e-b15c-905cfe3440f0"/> <cybox:Observable idref="mandiant:observable-f30a28b5-289b-44a4-a057-6bb48b209b50"/> <cybox:Observable idref="mandiant:observable-e2a7d3c7-66e0-436c-b7ff-6dda4a2d182b"/> <cybox:Observable idref="mandiant:observable-c98fb076-c73c-4339-9e81-1603d71c14cb"/> <cybox:Observable idref="mandiant:observable-ca8a127b-c365-4406-bb58-d965f17d3072"/> <cybox:Observable idref="mandiant:observable-de622043-d18d-4570-9c41-785e1f926d04"/> <cybox:Observable idref="mandiant:observable-69e791a7-621c-47fe-84d0-8c7c3c4c5539"/> <cybox:Observable idref="mandiant:observable-f2b05d1a-ef70-47ae-bb16-0972c5673db8"/> <cybox:Observable idref="mandiant:observable-abe084a6-95c9-4e2e-b50c-48634b049e8d"/> <cybox:Observable idref="mandiant:observable-d091bd18-9d30-4a5a-b73f-4e5686c7c61f"/> <cybox:Observable idref="mandiant:observable-9a0d7892-fe69-4f2b-b8b5-6bf1459adbf0"/> <cybox:Observable idref="mandiant:observable-0339701e-b944-4d36-a744-1a2d1dc4984a"/> <cybox:Observable idref="mandiant:observable-efa91ffd-9547-45e5-8f43-830b30630826"/> <cybox:Observable idref="mandiant:observable-71d2a49a-782a-4cec-8706-9d637847c256"/> <cybox:Observable idref="mandiant:observable-37423a2a-23ec-4836-bc6c-e91e3bbbc139"/> <cybox:Observable idref="mandiant:observable-12571590-08e0-4061-b6d1-eb491408217c"/> <cybox:Observable idref="mandiant:observable-b254ec57-2b1f-415e-9b4a-d0fa1824ec89"/> <cybox:Observable idref="mandiant:observable-d749c083-a4f7-40cc-8c67-28ac66e114d1"/> <cybox:Observable idref="mandiant:observable-e6799d98-6e76-4b67-add5-543c27b1ce11"/> <cybox:Observable idref="mandiant:observable-031173b9-3d67-4eb0-a9b2-cb0309e1d4ea"/> <cybox:Observable idref="mandiant:observable-10e80b2c-58ec-4ee0-94ed-dab861d672f3"/> <cybox:Observable idref="mandiant:observable-2c8d7578-f766-410c-bafa-ad6b2c465d5b"/> <cybox:Observable idref="mandiant:observable-e7727486-09ce-4567-9500-3ab2d7314def"/> <cybox:Observable idref="mandiant:observable-8e383de5-dc05-41ba-bb1a-237d315752fc"/> <cybox:Observable idref="mandiant:observable-27c0377b-ae5d-47d8-b7b4-369a5e19d96e"/> <cybox:Observable idref="mandiant:observable-a3d15fc1-a35a-4427-a3d7-f2f32da400cb"/> <cybox:Observable idref="mandiant:observable-9d71ef02-d837-42d5-9697-01909ef67497"/> <cybox:Observable idref="mandiant:observable-2be3fe72-f623-4db7-8546-37a789c51737"/> <cybox:Observable idref="mandiant:observable-7d0a3622-cb89-4387-98df-46cce2c03eae"/> <cybox:Observable idref="mandiant:observable-ac970ae5-b767-4853-bc68-56e6902ac774"/> <cybox:Observable idref="mandiant:observable-ebdb3df3-a53c-4df9-bf81-abe1d85058bd"/> <cybox:Observable idref="mandiant:observable-5236ded3-932e-400d-9941-07da6e92de13"/> <cybox:Observable idref="mandiant:observable-998d432c-ea3a-4483-8c2d-90fbcb6aace6"/> <cybox:Observable idref="mandiant:observable-95907c16-e72e-4a13-916a-57d216ca5ba9"/> <cybox:Observable idref="mandiant:observable-8cc362ec-5bf7-4829-9374-35ab06631eea"/> <cybox:Observable idref="mandiant:observable-f5a213e2-e862-4ba8-8f1c-03d5a8d150a0"/> <cybox:Observable idref="mandiant:observable-cfee9e99-7cf0-410c-a733-6d5955e9fc73"/> <cybox:Observable idref="mandiant:observable-d8911b27-17cf-4264-9a51-68d111a56068"/> <cybox:Observable idref="mandiant:observable-61a03b1e-0e29-4636-b0e1-491b9cf40561"/> <cybox:Observable idref="mandiant:observable-ced89bd9-a6cb-48b0-b401-b76a5b3f95cd"/> <cybox:Observable idref="mandiant:observable-fa8df09e-f458-4392-b8e2-733500f31483"/> <cybox:Observable idref="mandiant:observable-f9951faf-1de8-4b86-927a-a800b7537245"/> <cybox:Observable idref="mandiant:observable-fd457d34-2778-4cbe-978e-c95a7aa8dfba"/> <cybox:Observable idref="mandiant:observable-a7134924-b7a0-4f1c-b818-4e38f2c2f63d"/> <cybox:Observable idref="mandiant:observable-2238b0c8-37b7-49a9-83e4-4f1861409940"/> <cybox:Observable idref="mandiant:observable-1e6db3c7-b93a-43e7-ae3d-dc44910f0c5b"/> <cybox:Observable idref="mandiant:observable-031beb4a-f30c-4bb4-950f-99c9a762691f"/> <cybox:Observable idref="mandiant:observable-15526961-181e-4767-81c1-22e7f5d0444c"/> <cybox:Observable idref="mandiant:observable-54e1cfa7-5b9f-4dac-9b4d-732bb293815c"/> <cybox:Observable idref="mandiant:observable-511936a6-ff5e-4463-ae3c-7c304387ec73"/> <cybox:Observable idref="mandiant:observable-5dd6ca2f-564f-4d12-ae49-07c9b8c42705"/> <cybox:Observable idref="mandiant:observable-4b1620f4-94db-4cb7-98d1-7141c7568631"/> <cybox:Observable idref="mandiant:observable-9f36688c-aa19-4d6d-ac0e-58dbf963cdff"/> <cybox:Observable idref="mandiant:observable-be21f52c-fe43-4511-9ab6-fc00e6b23282"/> <cybox:Observable idref="mandiant:observable-4494ac88-9ec5-4190-b3c6-d083b6ce7c2d"/> <cybox:Observable idref="mandiant:observable-e07a2b0f-b23a-44d3-9047-5579172d4936"/> <cybox:Observable idref="mandiant:observable-b60946dd-61b1-4e52-b3a2-577f717334cb"/> <cybox:Observable idref="mandiant:observable-3c518aee-4064-4202-8a4b-de3e8a10a40c"/> <cybox:Observable idref="mandiant:observable-d5216c57-dd11-4343-a269-97abf7e8c45d"/> <cybox:Observable idref="mandiant:observable-ae8fd0ff-f4e9-4d36-ad1c-5d7ab6b5e4c6"/> <cybox:Observable idref="mandiant:observable-a076efc9-286e-45ad-b1cf-10c1544614e5"/> <cybox:Observable idref="mandiant:observable-11395907-8fc0-48ff-ab5c-0fa2bf0e8d2b"/> <cybox:Observable idref="mandiant:observable-4226b629-8bff-4b2a-87a7-e5fac402c3cf"/> <cybox:Observable idref="mandiant:observable-8bbb0362-5760-4b81-9ec6-8732388d2e35"/> <cybox:Observable idref="mandiant:observable-b339ef46-6452-422a-9421-14c96a48bfd6"/> <cybox:Observable idref="mandiant:observable-1e74cabc-58df-4e91-8256-0a8cef0b8144"/> <cybox:Observable idref="mandiant:observable-d9efea8e-5f1a-4893-81a1-3022410a2359"/> <cybox:Observable idref="mandiant:observable-6c044212-b4c3-42b1-98f0-a23db4579307"/> <cybox:Observable idref="mandiant:observable-0a45a393-c5bb-4abe-9fe5-55884ed3301e"/> <cybox:Observable idref="mandiant:observable-eccbdeca-17e3-49e2-86e6-d9a958b282b0"/> <cybox:Observable idref="mandiant:observable-876efde6-d854-4985-b4bc-38eeaf6ef402"/> <cybox:Observable idref="mandiant:observable-168e96c7-27ee-4dd9-83ef-42068e64e550"/> <cybox:Observable idref="mandiant:observable-2146b9ab-a964-4949-b0cf-0ee322674c97"/> <cybox:Observable idref="mandiant:observable-78a4421d-77f0-4baa-8b0f-4e502e1e6341"/> <cybox:Observable idref="mandiant:observable-b0d3d267-a266-4f4a-bf73-bd4bf33895c1"/> <cybox:Observable idref="mandiant:observable-13e6bd1c-3cb0-4045-8183-1bcba1a00bf0"/> <cybox:Observable idref="mandiant:observable-3048ce00-8772-4297-b560-661bd502930a"/> <cybox:Observable idref="mandiant:observable-950b8512-8dae-4155-a5ce-f5a5a87d85fe"/> <cybox:Observable idref="mandiant:observable-742e90a6-04f6-4c3b-a5d3-99f524401478"/> <cybox:Observable idref="mandiant:observable-ca3fb6b4-0230-4d9b-bc05-3030c8e35c70"/> <cybox:Observable idref="mandiant:observable-55e8ea00-8198-48b9-8706-858df3791137"/> <cybox:Observable idref="mandiant:observable-65937d7e-c289-4f93-9738-b1b70b9db291"/> <cybox:Observable idref="mandiant:observable-296b347b-44c5-4379-ab6e-47586c09008b"/> <cybox:Observable idref="mandiant:observable-7708d1e5-a710-45ba-ab53-2b47bd1ebec2"/> <cybox:Observable idref="mandiant:observable-38bbe2e6-52e5-4546-a24b-7d8a8a7be008"/> <cybox:Observable idref="mandiant:observable-03cc9226-6a52-4bdc-b8dd-5b59290e24e0"/> <cybox:Observable idref="mandiant:observable-79043b13-593d-44bb-a968-2cc4796ea553"/> <cybox:Observable idref="mandiant:observable-f831fe68-6ad9-4c3b-a458-da96e99bf51d"/> <cybox:Observable idref="mandiant:observable-7a8dafce-2759-407f-b933-58f880373498"/> <cybox:Observable idref="mandiant:observable-3712e3ad-c73f-4ac6-a060-ae91e5f4b209"/> <cybox:Observable idref="mandiant:observable-6a0c1869-51f9-47bd-b5ab-6dccb1e5c4dc"/> <cybox:Observable idref="mandiant:observable-e2902c12-d2d9-4430-b52e-f50b3a3cda0f"/> <cybox:Observable idref="mandiant:observable-0dc669b3-4708-4b9a-8342-39908c8fda76"/> <cybox:Observable idref="mandiant:observable-6390e920-b130-40a9-9c47-65e95ce704d7"/> <cybox:Observable idref="mandiant:observable-9992608a-b5ec-4de9-bc6c-ca680d901747"/> <cybox:Observable idref="mandiant:observable-e5e238fa-ee3c-4b90-bab0-f4e51686deb8"/> <cybox:Observable idref="mandiant:observable-78f7038b-c6b3-43b0-9d4e-f008ffc3d39f"/> <cybox:Observable idref="mandiant:observable-e206f2f2-91fa-4226-b125-b1d62a4d6a4d"/> <cybox:Observable idref="mandiant:observable-2d4e4cea-ac61-4439-9103-2df82e51dd94"/> <cybox:Observable idref="mandiant:observable-bbbaa9f5-88b4-4769-9295-067830277580"/> <cybox:Observable idref="mandiant:observable-97fbb0b2-280f-4652-a875-3ab57069fd94"/> <cybox:Observable idref="mandiant:observable-fc91331f-c835-40e8-a9d0-c8805a056ec1"/> <cybox:Observable idref="mandiant:observable-af547634-8c89-45c3-b523-d1c69dee87bc"/> <cybox:Observable idref="mandiant:observable-8d12f279-1dfd-49cb-9bc6-20c391e261c1"/> <cybox:Observable idref="mandiant:observable-8a1917da-62fa-4907-bbe1-a346b341ecc0"/> <cybox:Observable idref="mandiant:observable-1da495ad-f5dd-4d85-af38-2e1eb9dcd87d"/> <cybox:Observable idref="mandiant:observable-aff25096-ef94-4f73-9d6c-b137d311b76d"/> <cybox:Observable idref="mandiant:observable-dc43aa34-8044-424e-9149-8afa4ff0c577"/> <cybox:Observable idref="mandiant:observable-e8fa3d4f-1ed1-4649-9fe2-4a06dd4bf0f4"/> <cybox:Observable idref="mandiant:observable-f23bf30c-ef3f-4534-ae43-5a1a27f9b299"/> <cybox:Observable idref="mandiant:observable-33566849-1f86-465f-9bd9-d3d72022c7f1"/> <cybox:Observable idref="mandiant:observable-4fb0d58e-5b9d-4915-8df8-6a6b5047c285"/> <cybox:Observable idref="mandiant:observable-99656710-b8a5-46e8-90eb-2bd5c875a1ca"/> <cybox:Observable idref="mandiant:observable-051542fe-3415-415a-a8b1-fa809229fb26"/> <cybox:Observable idref="mandiant:observable-95f6e322-44c7-4ef4-848a-0fbe23c5fc1b"/> <cybox:Observable idref="mandiant:observable-540da951-fcb2-43f1-89a3-495305c3fd10"/> <cybox:Observable idref="mandiant:observable-8a03ee9e-5043-4ce1-8729-0c12a92a908d"/> <cybox:Observable idref="mandiant:observable-f9e0e6f8-9b2b-4b81-833f-2ade30521be4"/> <cybox:Observable idref="mandiant:observable-4719129c-3284-4b72-a7e2-b67e1d76b3e9"/> <cybox:Observable idref="mandiant:observable-b88fe4c2-2780-4e86-abc9-1fd01d05f1d2"/> <cybox:Observable idref="mandiant:observable-24ee6705-c3d8-4304-9a06-4008a9a23449"/> <cybox:Observable idref="mandiant:observable-92f1ffb0-0478-433c-a45c-bdb3fca452a6"/> <cybox:Observable idref="mandiant:observable-e80dbbec-1827-4c76-b561-4a826a74ec76"/> <cybox:Observable idref="mandiant:observable-fbc4c735-31e5-4ea6-bd69-c8c8c49614b9"/> <cybox:Observable idref="mandiant:observable-590410e3-cbb5-4a58-aba7-2c8f849f7e07"/> <cybox:Observable idref="mandiant:observable-c5debc8f-5481-4f4a-a8f1-f9e791be932e"/> <cybox:Observable idref="mandiant:observable-ee66514f-48be-4d66-88d3-058cb83c21c7"/> <cybox:Observable idref="mandiant:observable-2353a63c-c816-4a3f-aabd-3e7c451964f8"/> <cybox:Observable idref="mandiant:observable-9ba05a25-54a9-4288-8d9b-19d1633e382e"/> <cybox:Observable idref="mandiant:observable-0c862527-c7a6-4721-846b-674360e02d05"/> <cybox:Observable idref="mandiant:observable-60c2eb4a-09b9-4cdc-a25d-cdcb6b2d048a"/> <cybox:Observable idref="mandiant:observable-95395c68-d46e-46cf-8c34-cab57248c436"/> <cybox:Observable idref="mandiant:observable-d88551f7-346a-40f6-aff2-9d37b191b2a4"/> <cybox:Observable idref="mandiant:observable-8c17b911-940f-48e5-a9d3-a1a37b874a73"/> <cybox:Observable idref="mandiant:observable-b5e3109b-d003-4e43-ae1b-dd211ce39546"/> <cybox:Observable idref="mandiant:observable-dddc6df3-bd6a-4f9c-b64c-e41eb6a2a160"/> <cybox:Observable idref="mandiant:observable-5515aa67-956d-453e-a5f7-21cbc3b6bc01"/> <cybox:Observable idref="mandiant:observable-fefb9769-9a14-4e4b-bb43-b11ac1ea5d20"/> <cybox:Observable idref="mandiant:observable-e4ba4a24-5fa0-43b1-a710-55c1060ffbe4"/> <cybox:Observable idref="mandiant:observable-5ad007ee-80eb-4111-bf39-4beb81513c04"/> <cybox:Observable idref="mandiant:observable-9af5d073-4bcc-4b57-8add-450b271b8d7c"/> <cybox:Observable idref="mandiant:observable-bdd720ac-a60c-48e5-a701-11bce6df9481"/> <cybox:Observable idref="mandiant:observable-7f63da93-6a36-4931-bbc1-305ee9445d3a"/> <cybox:Observable idref="mandiant:observable-ad091b9c-f29a-4f0f-a50a-a0d11290feb7"/> <cybox:Observable idref="mandiant:observable-5fffb910-e9d0-4919-8fc0-7afb3eabe2e6"/> <cybox:Observable idref="mandiant:observable-55fe4b5d-70ed-448e-ba29-26e285605e6f"/> <cybox:Observable idref="mandiant:observable-0484c86e-0cc7-4f45-93b2-ccaa72d35abd"/> <cybox:Observable idref="mandiant:observable-2f0e18e2-3d62-4d5f-8523-0f5deee4e6a2"/> <cybox:Observable idref="mandiant:observable-4c974f84-2a25-4971-8926-c08927cd92f6"/> <cybox:Observable idref="mandiant:observable-f3a6eafd-ea13-4671-89f7-54441ffa55c2"/> <cybox:Observable idref="mandiant:observable-a83301c8-e493-4376-aa6d-d0900fe3de18"/> <cybox:Observable idref="mandiant:observable-efbc08ef-d619-402b-8958-31d69ca7ab41"/> <cybox:Observable idref="mandiant:observable-132a00f2-2ea7-4840-a64a-61dd8e5f6a41"/> <cybox:Observable idref="mandiant:observable-5117db30-f6e1-48a7-85c3-5fc54bd09520"/> <cybox:Observable idref="mandiant:observable-0a82d11c-ef7e-45e1-b1d9-afb1908c132b"/> <cybox:Observable idref="mandiant:observable-2d23d214-8c30-4615-a7f8-502377704091"/> <cybox:Observable idref="mandiant:observable-9450b911-ff5b-4ca2-9291-f77794b911ac"/> <cybox:Observable idref="mandiant:observable-e16a4b65-7734-4a99-ab70-5bd5d2ed2973"/> <cybox:Observable idref="mandiant:observable-c126266f-2951-4a8f-89b9-8e20f568b08f"/> <cybox:Observable idref="mandiant:observable-48a465c4-15ee-43c6-b54d-efc49ab756a5"/> <cybox:Observable idref="mandiant:observable-78db76ec-e88d-4910-9cc8-bce5a97300d6"/> <cybox:Observable idref="mandiant:observable-a9781e3b-ae53-4128-a71b-cee9245ff0b6"/> <cybox:Observable idref="mandiant:observable-dee91341-74a3-4abc-86d9-fef25e10d246"/> <cybox:Observable idref="mandiant:observable-12d4130f-cc2e-4381-bd02-b3d44f4833b4"/> <cybox:Observable idref="mandiant:observable-c2be8c2c-0d24-4456-aefd-b23eb2b6f0b9"/> <cybox:Observable idref="mandiant:observable-d5140a1b-8e85-4dfb-b63a-1acc5eef20b1"/> <cybox:Observable idref="mandiant:observable-b0b379f8-7193-4a0a-af42-efea99dc4af9"/> <cybox:Observable idref="mandiant:observable-c67a21b6-8a52-48f7-bea9-713f9e90b2ac"/> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="8dd23e0a-a659-45b4-a168-67e4b00944fb" last-modified="2013-02-10T13:00:00"> <short_description>Appendix E - APT1 File Hashes</short_description> <description>MD5 Hashes from APT 1 malware</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">APT1</link> </links> <definition> <Indicator operator="OR" id="b26314f3-956f-4340-bd9a-60f0e4ff210f"> <IndicatorItem id="05651fe8-64d2-47b5-a874-3e78e7918917" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">23e371b816bab10cd9cfc4a46154022c</Content> </IndicatorItem> <IndicatorItem id="103cfa65-fa42-41f0-96c8-0ddc0cbdafa7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a810ab506857c933df2bea40ae0eb548</Content> </IndicatorItem> <IndicatorItem id="2277e6c7-48dd-49b0-a53b-53951f85421d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f802b6e448c054c9c16b97ff85646825</Content> </IndicatorItem> <IndicatorItem id="6896db08-5da6-40ba-9245-2a2a61354db8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2f5979eaa728550a352c1ffee0b31236</Content> </IndicatorItem> <IndicatorItem id="6093b5cd-f834-4716-946a-747ebcdbe33a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">24c4ed0a6cc4e9671b72c104977fa215</Content> </IndicatorItem> <IndicatorItem id="3b8f989c-920f-47a6-984e-93806bba70cc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">973f4a238d6d19bdc7b42977b07b9cef</Content> </IndicatorItem> <IndicatorItem id="18ed243e-cac8-4a2d-b507-b5363a2ecc24" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a565682d8a13a5719977223e0d9c7aa4</Content> </IndicatorItem> <IndicatorItem id="7fc17be6-604f-4b4f-afb6-f4c6880377cd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7f398b00546c3a0946cd6142c308a556</Content> </IndicatorItem> <IndicatorItem id="0397d8b8-47de-4cb2-864a-599325b84582" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">496f04719a365f9718919002eff5748b</Content> </IndicatorItem> <IndicatorItem id="e5d8c061-332a-4269-b47a-e0115b71bca8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5cd578614afb50b925008b68b3accdb9</Content> </IndicatorItem> <IndicatorItem id="81db5dfe-ca08-4323-ba33-29d97a4219ce" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">079028d315d039da0ffec2728b2c9ef6</Content> </IndicatorItem> <IndicatorItem id="116c0cc0-aaac-46be-927b-5d19de4b3b98" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8725870a43192cb0176c82012996910a</Content> </IndicatorItem> <IndicatorItem id="b99065f7-605d-427f-85b0-3b448510d7e3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ccfb7a84bb87cc8f86ddd260ad38ed5b</Content> </IndicatorItem> <IndicatorItem id="5c27487c-532e-45ec-bd2e-e535ae07ed67" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0f23d5b93c30681655d8a4258b8de129</Content> </IndicatorItem> <IndicatorItem id="a33e7133-7c6c-437a-9583-8ee69782fded" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9d5aabcda9106132d1e1b6cf6cae28aa</Content> </IndicatorItem> <IndicatorItem id="370861b5-15a4-4a19-bf7a-bb9616af3a77" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7f26403f8e59a5f2728af2d3e0efaabb</Content> </IndicatorItem> <IndicatorItem id="f46f394f-9ccd-4edf-b5a2-c8d4a95b2688" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">70e2827ab4af1a38dc09a02fa95b82fe</Content> </IndicatorItem> <IndicatorItem id="9f53293c-3309-4f71-948c-e3cc1c143548" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dff4d874b2bfc64a4d1805959c379074</Content> </IndicatorItem> <IndicatorItem id="97dec2ec-a86e-4f4d-8255-e9bdb1a1db29" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8a7764ded8467bd0fd0c30adc2acc1d4</Content> </IndicatorItem> <IndicatorItem id="bede4de9-36e7-4c4e-99a2-3b1a7a07e19c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7eedcd6d00b4f08b825b4c134b6d8f1a</Content> </IndicatorItem> <IndicatorItem id="525c226b-b43f-4441-881a-87389b32bde2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec8c89aa5e521572c74e2dd02a4daf78</Content> </IndicatorItem> <IndicatorItem id="bce5d153-cfdc-418d-9fe8-df23e0c3e9b5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7b42b35832855ab4ff37ae9b8fa9e571</Content> </IndicatorItem> <IndicatorItem id="98cdc7cb-1025-4ccc-8e08-cd0527be057d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6b3d19cc86d82b06f5db3ae9d5ba8a5f</Content> </IndicatorItem> <IndicatorItem id="4b05928f-343e-4617-9b25-706e1cfc09e3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cd6c1dbf08d8864b382678284ef13358</Content> </IndicatorItem> <IndicatorItem id="f02a9717-96f7-4748-a287-ad56d96c9617" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9ad292de00b2175a80b5909fa173cdcd</Content> </IndicatorItem> <IndicatorItem id="26006d09-1a1f-4d35-9a18-21785ad5c5dc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d2c616bf238fc18f9ea0a1643bd2d4bc</Content> </IndicatorItem> <IndicatorItem id="bf5f8836-b3b8-4775-8de1-23b62b36c079" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6570163cd34454b3d1476c134d44b9d9</Content> </IndicatorItem> <IndicatorItem id="e345f9da-ffd5-46ea-82bd-0682a69c8b99" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1f92ff8711716ca795fbd81c477e45f5</Content> </IndicatorItem> <IndicatorItem id="ccb64070-590a-4b86-967d-87379102b7a5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2272791cadf422ce02a117a3a857f84e</Content> </IndicatorItem> <IndicatorItem id="49c429e4-c709-4830-b312-5d0bb0c8ad97" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7a670d13d4d014169c4080328b8feb86</Content> </IndicatorItem> <IndicatorItem id="3bc28d73-633a-43c4-875c-c2cb7551ba44" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b145e4d19f5ecfaad45c795aee69c8dc</Content> </IndicatorItem> <IndicatorItem id="e8649b93-b7d3-4602-ab29-22443412e013" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">22d9466d6aab8410bea006b5d3df8bd0</Content> </IndicatorItem> <IndicatorItem id="dad60ab8-b908-4f3c-b4b6-e748eb0af215" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">611b1577ba976f76fc01368545bc395c</Content> </IndicatorItem> <IndicatorItem id="440f5cbd-e265-4729-8a03-d31f4949bbee" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">078f1e2c528f2318b073e871f73efc21</Content> </IndicatorItem> <IndicatorItem id="f5cec6df-5f6d-42a3-aa32-1b3cf57a2f4d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3f34e41d8ea034e6246ef6426bc91336</Content> </IndicatorItem> <IndicatorItem id="69442a84-08eb-472d-84cb-d78aa05511d2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f8892c6dacbf7ac756abb361e48bbc82</Content> </IndicatorItem> <IndicatorItem id="d7441823-0ef0-44c2-8350-d1456c41847f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f904ea9bc8e2d7ce13a6007183da5957</Content> </IndicatorItem> <IndicatorItem id="e6b7c876-636c-490c-b507-72fa142405c8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">20e2c8c7a98ddd4c16f6e878194c1e78</Content> </IndicatorItem> <IndicatorItem id="c39e7b9f-08bc-4a3a-adec-7c8704385d01" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3d573866620eae070a220be89e113f69</Content> </IndicatorItem> <IndicatorItem id="f79746e0-651d-4559-90f1-cbc0120a32ff" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">70c10f8b4dcd01b07be6cfb4df0d3348</Content> </IndicatorItem> <IndicatorItem id="275ec552-99da-4afd-9bbe-dbd8dd279990" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f7f85d7f628ce62d1d8f7b39d8940472</Content> </IndicatorItem> <IndicatorItem id="9bf46e24-9fe4-4efc-9fa5-72ea44503571" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ba773e1608198cf8337c5902d7930710</Content> </IndicatorItem> <IndicatorItem id="3056cb61-e438-4cbf-ba68-bff7077a5652" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0149b7bd7218aab4e257d28469fddb0d</Content> </IndicatorItem> <IndicatorItem id="63a99629-9927-429a-84ef-0f4e2a3b1367" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">065e63afdfa539727f63af7530b22d2f</Content> </IndicatorItem> <IndicatorItem id="ba0d89bb-cef0-4bd7-a4ec-8d28e683e220" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">56c26b175ae23d90244805a6ec347e42</Content> </IndicatorItem> <IndicatorItem id="3ca10b1b-5286-42d3-8d5a-74e658bdfb9b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5bac505fdc202e1c6507ef381a881ed1</Content> </IndicatorItem> <IndicatorItem id="545f8c89-f07a-4273-afe0-ae939c34801e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6e9bedcf80f21171adb951a0d85d2adb</Content> </IndicatorItem> <IndicatorItem id="5ba1ef54-b240-4048-81e5-3bf13c725f69" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b1912db011633d98bc40ac568a4167a7</Content> </IndicatorItem> <IndicatorItem id="3a423788-f71e-484c-abed-7c00670bfdba" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4e1a92036a577a87a6fa36168d192c4b</Content> </IndicatorItem> <IndicatorItem id="881822be-3dc1-403a-af0e-07376032fa5f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">831a67dc75e2d4505180888747bc8ea9</Content> </IndicatorItem> <IndicatorItem id="404e40f9-107a-4dad-8dc2-0dc64f141b24" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">668b92feb7cbcc7ac75ff97dcec28d10</Content> </IndicatorItem> <IndicatorItem id="5819d156-9b7a-4d9c-a67c-d6290182d27c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">57cbf78c226265cc1e61ad86779bf906</Content> </IndicatorItem> <IndicatorItem id="6def3e89-8836-4a8c-ba46-2285da79863f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2156942db0293565c9420c1e254a2c32</Content> </IndicatorItem> <IndicatorItem id="5261246b-3eb6-4516-9681-7d5b0c1ce8f9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cd677f9ede43b4b86b421db249c0e020</Content> </IndicatorItem> <IndicatorItem id="38c036dd-c7e8-4035-b29e-00af763e2ae6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">22aa55134d621672e93c6de928c8b122</Content> </IndicatorItem> <IndicatorItem id="b52a9718-e8e5-4cb0-a837-a37289ea5d9f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec82a53f44511ac09e916bde02cddef0</Content> </IndicatorItem> <IndicatorItem id="cef3482b-70b5-4d5b-a9f2-6a42fc5b975f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2762fb36161086f7ef3f33232aa790dc</Content> </IndicatorItem> <IndicatorItem id="bb22d9c5-efa2-452a-baee-0cf6faf0dcce" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fc9d20d555a88fc827f3a2bfec4dfa36</Content> </IndicatorItem> <IndicatorItem id="8ca56c7a-0b17-4be8-8848-8eba311bc883" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ca68ccc887cfe5d2194f6a4d3101ae66</Content> </IndicatorItem> <IndicatorItem id="c3852e5f-f117-4b98-b404-f3df59bf70eb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4aa61b2c1e376b0cc10c877b22bd9aec</Content> </IndicatorItem> <IndicatorItem id="e24a0c6b-e6bd-4d4a-807e-ed444756f35e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7d0efb2480834a6a80210b7342d51154</Content> </IndicatorItem> <IndicatorItem id="d93d3e6b-8e75-4066-ad27-4ab3c8ddc366" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b743f6af7e307221ba425d6023ebe42c</Content> </IndicatorItem> <IndicatorItem id="04d2b17b-0de9-4e52-be72-0370587a1e10" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">86a906db5686bbf487689937d15bf71a</Content> </IndicatorItem> <IndicatorItem id="b316fe53-7c0d-4ce4-b425-6595d5ab17c7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dc373f011e86d5528ca4824bb287c406</Content> </IndicatorItem> <IndicatorItem id="1ad0f0bd-5b9c-483a-ae66-08106e1403af" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8f4863b4dfb52d8362c031d3720a6d97</Content> </IndicatorItem> <IndicatorItem id="326ffec2-dc36-4878-b9e2-5e9e84386b57" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">abe6ab89f957f6edf8f41b5ad198e5e6</Content> </IndicatorItem> <IndicatorItem id="96e47165-509c-49a0-ae31-14a52698d1d9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9f11bc08af048c5c3a110e567082fe0b</Content> </IndicatorItem> <IndicatorItem id="5a178b25-59fd-4177-8f57-48f7d497d24a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1aea4d24f3bd2c51288ad643fc66e0d2</Content> </IndicatorItem> <IndicatorItem id="23042542-a9a7-4aeb-b961-fd30b9f087da" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3fc26910f9c31bd9ba3ccb09132d9ca3</Content> </IndicatorItem> <IndicatorItem id="0f2cf480-7862-4df6-a1b8-a7dfb8e52da5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c3e5603a38e700274d1ab30ce93d08b9</Content> </IndicatorItem> <IndicatorItem id="359593a1-2f92-4e19-9ae6-baa0029e6398" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3f8682ab074a097ebbaadbf26dfff560</Content> </IndicatorItem> <IndicatorItem id="add1cad1-09f7-4557-bd37-30fc1b8c7d8a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1b7eed9d2438b494197e95fe57114f9b</Content> </IndicatorItem> <IndicatorItem id="e91938e3-5fd9-4db3-8168-799fa6f2d1ba" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0ff48a336655869a74611236e6e2d249</Content> </IndicatorItem> <IndicatorItem id="2bb6ca2f-11a8-43c8-81a6-76b822424088" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0d678350f05b274844da5d79fee75324</Content> </IndicatorItem> <IndicatorItem id="e01a57c5-4648-42a0-a93d-c9371a880da2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e55f7d80d99b6aacb0c8d9ed46856d25</Content> </IndicatorItem> <IndicatorItem id="85d70fe6-c617-4e6b-a322-52c61fdb9fe5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">91deceb64c795927c6ea07f695f67334</Content> </IndicatorItem> <IndicatorItem id="e86f7f6d-382c-413c-ad3c-d788d6c3def4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f113e1c754679164b0e137449b7631cc</Content> </IndicatorItem> <IndicatorItem id="c671e8b1-5cb9-47dc-b5b4-70605a357be5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c30c7fa2eb06fc8c9ebbe955abe26edd</Content> </IndicatorItem> <IndicatorItem id="4cb4ee77-cc29-4f5c-bcb1-ea831ba89413" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8e1ec7e556b8c6612b6c34e310c50b66</Content> </IndicatorItem> <IndicatorItem id="359b1769-35f5-44fe-93fb-88cb8524a50e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ab208f0b517ba9850f1551c9555b5313</Content> </IndicatorItem> <IndicatorItem id="0026de5f-5b36-4f6e-9930-1ec7ebede534" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0ff20d023d6b54661d66fb3ce09afe3c</Content> </IndicatorItem> <IndicatorItem id="398ba8ea-cf1c-4598-a1f6-6780370d5ceb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e6ed3ee47bce9946e2541332cb34c69</Content> </IndicatorItem> <IndicatorItem id="e60f9259-80ef-4ec7-bcff-f9c34a78bdc2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c9172b3e83c782bc930c06b628f31fa5</Content> </IndicatorItem> <IndicatorItem id="9132c73d-3ea0-468e-9f23-3cfc63d34e4b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">88c7c50cd4130561d57a1d3b82c5b953</Content> </IndicatorItem> <IndicatorItem id="19a43f99-f9e5-4186-913b-3250064505c0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">40ee45b1343406b6f7ad6204f1af7693</Content> </IndicatorItem> <IndicatorItem id="d0e4c8ff-6425-4f6d-8d89-40fe33d249dd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">052ec04866e4a67f31845d656531830d</Content> </IndicatorItem> <IndicatorItem id="31c11f44-44bf-47d9-8257-71a9e103c43d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8442ae37b91f279a9f06de4c60b286a3</Content> </IndicatorItem> <IndicatorItem id="bc07cc72-4752-43b3-8541-24eb6f9f7653" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1f2eb7b090018d975e6d9b40868c94ca</Content> </IndicatorItem> <IndicatorItem id="9eb5e05e-70b8-473c-8f59-b52a58b0dda9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">411d770b2939e968c692dbdd3116e179</Content> </IndicatorItem> <IndicatorItem id="6d0d4fc3-a1aa-40b6-bb1a-1815879bc7ea" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">62a35021454e17f4a913e577d7ecd22f</Content> </IndicatorItem> <IndicatorItem id="794fa688-9801-4524-bb96-e702aa916617" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec8aa67b05407c01094184c33d2b5a44</Content> </IndicatorItem> <IndicatorItem id="797c48e1-5c0b-425a-afc2-7f1830c06e1b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c1bd23ece59e36143d80f7eec0e38c52</Content> </IndicatorItem> <IndicatorItem id="86e1d024-8f84-4e9f-9c1c-5e7decddfaaf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b07322743778b5868475dbe66eedac4f</Content> </IndicatorItem> <IndicatorItem id="d2337907-5f47-40a0-b52f-5d764b6dbf49" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9ea3c16194ce354c244c1b74c46cd92e</Content> </IndicatorItem> <IndicatorItem id="1098380e-281b-4e66-be75-c614cc97ea40" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3b1b190407b868406c5c155a79f3d146</Content> </IndicatorItem> <IndicatorItem id="44686d0b-7211-4e71-866a-aa8006fe12d2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fade2270a6c7cb47893ac600a9a0509f</Content> </IndicatorItem> <IndicatorItem id="abf4682a-d32d-4ae8-85be-97ae4e3728f0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2479a9a50308cb72fcd5e4e18ef06468</Content> </IndicatorItem> <IndicatorItem id="54faec0a-b2a7-4ea7-93ff-f3644eb1d8fb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b36168ea438520875c621f5603db003f</Content> </IndicatorItem> <IndicatorItem id="982e8250-4a6a-40c9-9264-324a62f3f41d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0df42947e167cd006b176d305c08d57e</Content> </IndicatorItem> <IndicatorItem id="c20a79fe-4ccd-410a-ad6f-0aa6e7339a08" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9ecf9d5d8872fe55ab120265c3749ffc</Content> </IndicatorItem> <IndicatorItem id="541ffaec-8c22-4e82-9446-24b49d3599ce" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6461ea41f179e660c40ed65aee1a4a2d</Content> </IndicatorItem> <IndicatorItem id="1e4b6646-b454-4d33-be79-03246949326a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2244c60f4c1dc285c259f3ac5bf88ff8</Content> </IndicatorItem> <IndicatorItem id="06d294e5-8e21-4987-a717-c078fef58614" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">82390e18379710df84d48881a1c1d0ed</Content> </IndicatorItem> <IndicatorItem id="d70f3afa-092f-4198-a97c-e60eeaa920e9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1809c3cc93332d7bc0799238519a2938</Content> </IndicatorItem> <IndicatorItem id="da7098e0-928c-47ad-acdf-a5e0b31a2b9e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">35008d12dfa47447112495f430e4aefe</Content> </IndicatorItem> <IndicatorItem id="d53a3508-d5bb-4210-bbc0-3a0189d4b976" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e4a9b8993e55e3d0ba355b13d1f27a2e</Content> </IndicatorItem> <IndicatorItem id="63dbd09a-2167-4f2c-a4eb-a59a5eb42fb1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a9993969be3ea340d420eea5868c0d1d</Content> </IndicatorItem> <IndicatorItem id="23372f15-d5d9-484a-a8b5-48f8a71cae9a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c110f08399c5dca64d7dc4539eb82083</Content> </IndicatorItem> <IndicatorItem id="d347c5aa-8573-45e9-b317-4cd48fb33309" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cb3a9d7505be48019e242fbccc7e5f6b</Content> </IndicatorItem> <IndicatorItem id="bb6a7d86-ccdc-49ad-a300-233466090cb3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">46a86e3c12d5025aa78c7ddf46717c38</Content> </IndicatorItem> <IndicatorItem id="6ea1dc10-cf21-4bc9-9936-517e0372a2e9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">52cb7fed85bd7ff6797fbc70105a09fe</Content> </IndicatorItem> <IndicatorItem id="0eacc6b9-d3db-4732-bdea-c00c11c89584" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">80bca9f272152280a462f84f1588c0cc</Content> </IndicatorItem> <IndicatorItem id="fc004b7b-ba76-4764-9f3d-d3aaa1b51487" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">693f711d8fab66a3efca98a19a733d56</Content> </IndicatorItem> <IndicatorItem id="77baa40c-7ddb-4101-9b7b-46fd979b1a8f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5fa50476240c9c59cb72b345751434ce</Content> </IndicatorItem> <IndicatorItem id="4ef42795-799a-4a7b-aef5-8b942034c6c6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">522d32a505f78f09303e689999a3e461</Content> </IndicatorItem> <IndicatorItem id="48a2a6d8-1393-4c20-be66-15b03dd4ca94" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">497f07f54a4c29fe3be1a15f4516e32d</Content> </IndicatorItem> <IndicatorItem id="3711ab1f-5879-4e86-8796-0226d7e9523e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5e33a9835bced338cb1959c347ac6798</Content> </IndicatorItem> <IndicatorItem id="e8570a77-faaa-4422-a627-30707bf45c36" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b3defdbd173738d44137f88a571647e1</Content> </IndicatorItem> <IndicatorItem id="54c18359-178d-4321-9479-b5037e24cc53" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6faa4740f99408d4d2dddd0b09bbdefd</Content> </IndicatorItem> <IndicatorItem id="35fa316a-2915-4435-aaeb-65717957bd6f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d9fbf759f527af373e34673dc3aca462</Content> </IndicatorItem> <IndicatorItem id="1e2529c8-c4c7-4a1e-86d7-630842f293b1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bfcae0468de0c7bcf92e9989589082f1</Content> </IndicatorItem> <IndicatorItem id="8dd5d3da-e922-4e58-83f5-66116f9d0551" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">456d298649a7ec31a7250ed9312ebbaf</Content> </IndicatorItem> <IndicatorItem id="31d84c6d-d613-42e9-b1a6-72e6aaa78e94" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">da5ff7927d608d7ccc7495939d457bd3</Content> </IndicatorItem> <IndicatorItem id="c5ea82b0-a991-4bc1-a2bf-061887d35b35" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9548e5ed4fbacd0ed4a9d6a27f5d8fec</Content> </IndicatorItem> <IndicatorItem id="9bd9ac90-53d3-437f-910c-af0e0b1e1ec5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f3b54c188185ee0921848b3a6ad4751e</Content> </IndicatorItem> <IndicatorItem id="de49ae7e-db99-49ac-843d-4ec54d875b82" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cfc6112254a69030521d0d2bba152d4d</Content> </IndicatorItem> <IndicatorItem id="4599bf78-645b-468f-96cd-5822961ae9aa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b7dba6184f07b1e824362a2307d91ae2</Content> </IndicatorItem> <IndicatorItem id="2f723b94-d7a1-469a-b792-21a110150d8c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a360b16c19ab9dea6763f777257c5f38</Content> </IndicatorItem> <IndicatorItem id="1afa4b6c-0cbe-4a7a-93df-d33eac738ee7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3d0c1dc5ac55f6d0e6b7fabfeb5158f5</Content> </IndicatorItem> <IndicatorItem id="116d1a83-dfba-4e64-8c7b-c9048baa50f1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ae2dadd85cd97452bb26b2c901d0890</Content> </IndicatorItem> <IndicatorItem id="6ff86f5e-3538-41c6-93e2-c3aa0760592a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ce4605e771a04e375e0d1083f183e8e</Content> </IndicatorItem> <IndicatorItem id="ddefd762-9036-479f-bfe9-d9c5fb85f982" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">56de2854ef64d869b5df7af5e4effe3e</Content> </IndicatorItem> <IndicatorItem id="1deaf030-e074-4e3a-a788-45ae75a6e669" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">225e33508861984dd2a774760bfdfc52</Content> </IndicatorItem> <IndicatorItem id="51e62682-fd26-4ba9-8882-7585c5a8c359" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c2fa9f567fd34fb14fee6a38b6644ff9</Content> </IndicatorItem> <IndicatorItem id="9873610d-551a-418d-855e-7710fcd64e3e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ad8cde8841208ff226e04e8514dc699c</Content> </IndicatorItem> <IndicatorItem id="3d56b7e9-ff8f-4318-aded-27ed8a7e763e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">29c691978af80dc23c4df96b5f6076bb</Content> </IndicatorItem> <IndicatorItem id="54fbc385-ac96-45ca-9024-236bfc4945a7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0285bd1fbdd70fd5165260a490564ac8</Content> </IndicatorItem> <IndicatorItem id="759928a9-9c42-4538-a7cd-172fcef91c1f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">034374db2d35cf9da6558f54cec8a455</Content> </IndicatorItem> <IndicatorItem id="f6b20d5f-888e-4b43-9cbd-605cc65d6f62" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">04e83832146034f9797d2e8145413daa</Content> </IndicatorItem> <IndicatorItem id="1c9fb5fb-99d1-4f4b-ada3-11057790d1e8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">04f481d6710ac5d68d0eacac2600a041</Content> </IndicatorItem> <IndicatorItem id="11eda4af-d518-4728-aeb9-486c7cd2fedf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0501bb10d646b29cab7d17a8407010d9</Content> </IndicatorItem> <IndicatorItem id="26941fc7-5dd5-4e01-93df-4e51e0e2f04f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">05552a77620933dd80f1e176736f8fe7</Content> </IndicatorItem> <IndicatorItem id="aca6b530-4ad9-4d02-818e-9f6e64f6459b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">05cc052686fbdf25fb610c1fe120195f</Content> </IndicatorItem> <IndicatorItem id="8f9ef431-47f8-4c5b-a25e-20ea93fa1d64" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c94e22e285422ac541cfabebc9db1a5f</Content> </IndicatorItem> <IndicatorItem id="89fc07df-7c17-4c79-a831-f297fb1e2a87" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">df5c89d49ef8997c9b5abd8f808298c8</Content> </IndicatorItem> <IndicatorItem id="2e81bf63-45b0-4c8d-9ec9-f169a087a0ca" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">494fca685834f3158d133f6b09cbb507</Content> </IndicatorItem> <IndicatorItem id="a8eb1230-6797-4cf7-b823-163672a2b370" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f8437e44748d2c3fcf84019766f4e6dc</Content> </IndicatorItem> <IndicatorItem id="a3dbe6c2-b51d-4207-a311-9e5a955bd833" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a316d5aeca269ca865077e7fff356e7d</Content> </IndicatorItem> <IndicatorItem id="a818911e-297b-4324-aa6f-ac21ec319516" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">00f24328b282b28bc39960d55603e380</Content> </IndicatorItem> <IndicatorItem id="a9086d69-1179-4517-b822-eb84b1658942" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">85c4081a97255ac7ca7d0d5554e86ec1</Content> </IndicatorItem> <IndicatorItem id="0e7d60c6-e783-466d-8594-57c7b0848074" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5a032c13942a46c5ae015f53d9ce138a</Content> </IndicatorItem> <IndicatorItem id="c402b511-6782-40a1-a179-2e72b63c9b82" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3d6fe3928f2f5ce41622f3f958b894a0</Content> </IndicatorItem> <IndicatorItem id="da9072af-52c2-4305-a16c-e0db04c5d054" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea3155748f9788b741b6799691250579</Content> </IndicatorItem> <IndicatorItem id="12c520fe-2240-4383-9502-338e690862be" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a14e8df8bc55f7459d24fe526f51a16d</Content> </IndicatorItem> <IndicatorItem id="5bb7a36f-9773-4ae3-913a-64feb2e8072b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2dd892986b2249b5214639ecc8ac0223</Content> </IndicatorItem> <IndicatorItem id="694be730-bf53-4f24-ae76-063d44d84eb2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">35b9f05cf70017cc485af87660109dc8</Content> </IndicatorItem> <IndicatorItem id="891409e0-b48b-4378-8135-5f2db3d67cbf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">785003a405bc7a4ebcbb21ddb757bf3f</Content> </IndicatorItem> <IndicatorItem id="1dd4e157-834b-4f9e-9d33-806646b95a90" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7a2eba5ca6f9b2cec61c5cc55dfca762</Content> </IndicatorItem> <IndicatorItem id="0d8f5c5b-5401-44cb-b795-20965c8e0706" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d20f0fbd001fd30610c3317fd3c6f7c0</Content> </IndicatorItem> <IndicatorItem id="92428cd7-19a5-4cfb-a526-0d04495d950f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">61e0da42d5d084af24d31fbcef4ff409</Content> </IndicatorItem> <IndicatorItem id="a214cabc-6e30-4abb-b8b0-fbc37daf2658" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ab445da3ee4e81a84d644476f669d35c</Content> </IndicatorItem> <IndicatorItem id="cd07b272-58ed-4b34-9b23-66c9a6c35410" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">08d7679a9c806a2f7d2be26fe9b425ee</Content> </IndicatorItem> <IndicatorItem id="ba98e853-f69f-44b1-848b-0628b0cc6b02" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">650a6fca433ee243391e4b4c11f09438</Content> </IndicatorItem> <IndicatorItem id="12b470cd-652e-4a54-8ed3-cdfd2a9627c8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">34cebbb4d35a66a7a7fb1ce857c195c9</Content> </IndicatorItem> <IndicatorItem id="016b517b-d8a2-47d2-926f-1837ca649be1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7be6c90facbfe9ecf470fb27e6673fbc</Content> </IndicatorItem> <IndicatorItem id="5d7e66e4-e185-4a2c-a85f-4883e059ba4b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c0a33a1b472a8c16123fd696a5ce5ebb</Content> </IndicatorItem> <IndicatorItem id="5fc3446a-a934-4c80-87f6-8005cdd9afaf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cc0b9bf4ea738d63f06bfe411460412b</Content> </IndicatorItem> <IndicatorItem id="ba698614-a29d-4fad-9a80-e31494c728ff" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8b75bcbff174c25a0161f30758509a44</Content> </IndicatorItem> <IndicatorItem id="effe17e2-3650-4f8d-84b8-b82bb331cf88" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">89a2802e2f2356ce6a757f833c3ba3ef</Content> </IndicatorItem> <IndicatorItem id="741d2a1e-37cd-4450-bb15-96513fd642b6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">eb61cedc9793226a66e4611e6ea25d7f</Content> </IndicatorItem> <IndicatorItem id="3e5ad28e-5bfa-4bb7-851f-42d14ccea030" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d1a18c7de189170c588e7128ec3f8453</Content> </IndicatorItem> <IndicatorItem id="ba856a40-0074-41c1-819f-3cfbbca29a46" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ae1dda87cc5998de79ecb68527bbd191</Content> </IndicatorItem> <IndicatorItem id="4d84aaf2-0cfa-45b9-9b1b-b1f1ed00221e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">125ebbc6f0c957ee994fcef1431a93f4</Content> </IndicatorItem> <IndicatorItem id="a4dfc9ad-d778-4574-ad9d-035765b9510b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e65db662e449cab03a6c1ac51af41360</Content> </IndicatorItem> <IndicatorItem id="f2b6c13d-c933-41fe-b5e0-76b0245b5b59" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2ba0d0083976a5c1e3315413cdcffcd2</Content> </IndicatorItem> <IndicatorItem id="9e57ab75-f804-4c5f-bece-fe6d56a8db5e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">30b3b17eab05ecffaa055b5091aa66f9</Content> </IndicatorItem> <IndicatorItem id="4d1bdd42-d9ec-459e-8e8f-2a8057b84d5c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">19fc27aeb48b3ce8d00eb2e76dfe2837</Content> </IndicatorItem> <IndicatorItem id="d13b55ac-b75c-4505-a7f2-1b57b56d6b06" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2080f463388aebe6deb7edf11c01f7ff</Content> </IndicatorItem> <IndicatorItem id="db8fef14-2efd-423f-8189-cc3d2152851c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">531a3b0acd95f55c3a7418d31f741357</Content> </IndicatorItem> <IndicatorItem id="45a74b7f-786e-4381-9d14-63c1d6c1a84b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f38e76417c0f87322d55062428283e58</Content> </IndicatorItem> <IndicatorItem id="61279900-2d22-456b-b146-3f5f25c5897e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">caf33d1e15953c0e782846e1709498f6</Content> </IndicatorItem> <IndicatorItem id="b5e5baf1-f5b5-4c57-9aeb-28ac618ed7ab" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7af399ff99109a9501da73337c0bdf4b</Content> </IndicatorItem> <IndicatorItem id="23508af8-104d-401c-8390-5c241bea9bf4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fa11cb78f53db2d2718d536d4bd20b85</Content> </IndicatorItem> <IndicatorItem id="f42a0f08-4705-4ba4-893c-feee956ba888" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">42462d31a2e5b1e4602a1a4d39abeca9</Content> </IndicatorItem> <IndicatorItem id="52484842-5bfa-4ae6-938f-f34bb535ac70" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">99a39866a657a10949fcb6d634bb30d5</Content> </IndicatorItem> <IndicatorItem id="28660aaf-40fc-4d95-b857-377940895049" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d4c7f1f80883412f9796f1270accff50</Content> </IndicatorItem> <IndicatorItem id="92f22fb9-d3d1-4341-b9f6-a7187f680788" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">65018cd542145a3792ba09985734c12a</Content> </IndicatorItem> <IndicatorItem id="10265b2b-45f8-4173-ba5e-f7d0bfe8d3fa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dc059121677ec7a038589cda28cbcc49</Content> </IndicatorItem> <IndicatorItem id="74672d8b-dd58-45f9-9aea-6d4c31fb944c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a4143ade719c2222d8602819a3e212ae</Content> </IndicatorItem> <IndicatorItem id="ee50608f-9ab2-40e1-ae16-964c37e970c4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e12ffa5ad676a41754e2cc59e980e57</Content> </IndicatorItem> <IndicatorItem id="d5ed1516-1969-4ac2-b5d1-331110658ef2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">420deefd91db5e177b46e4134441a35e</Content> </IndicatorItem> <IndicatorItem id="99e5c689-7f37-4aff-a45f-c617e6b4a066" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">09531f851ef74a7238685fd287a395bd</Content> </IndicatorItem> <IndicatorItem id="c5bcdeb1-e953-4d4e-a703-608fd6cdff4a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ca6fe7a1315af5afeac2961460a80569</Content> </IndicatorItem> <IndicatorItem id="e04d55cb-4f79-4b61-8325-69996f9062e1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6576c196385407b0f7f4b1b537d88983</Content> </IndicatorItem> <IndicatorItem id="940679c4-ec10-4eb5-9d21-20b12654b772" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">07fe9f901fb4f14e16fb5d114a92b0fc</Content> </IndicatorItem> <IndicatorItem id="29c98e79-163d-49ff-bbcb-3158835d45b6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">08084604344b5ed11c2612795b2d3608</Content> </IndicatorItem> <IndicatorItem id="c282d42f-e81b-48cd-85fd-111d8a0a3099" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">09d372e4259980ac95fdadf1846578d9</Content> </IndicatorItem> <IndicatorItem id="bdf28114-09ec-4b88-99e6-26a7e199b3f3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d802a0c3e0c3dcac43877bd488f2b042</Content> </IndicatorItem> <IndicatorItem id="3c38aa4c-e87a-4e2b-8a35-c6e78ffec8e7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a17bb80ae02c8b003cf69222fa13f506</Content> </IndicatorItem> <IndicatorItem id="3f462f7c-f56e-46fb-b242-9ae949f66a6a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">45aa4177bb42eb3ded5edf397a4aaded</Content> </IndicatorItem> <IndicatorItem id="d61d7c99-eec5-485a-be51-bd82a6991134" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0b680e7bd5c0501d5dd73164122a7faf</Content> </IndicatorItem> <IndicatorItem id="824b99b0-6b88-419a-89ec-e218123bfcb4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">edb4faeee6542572aff2ec1b6affbd28</Content> </IndicatorItem> <IndicatorItem id="3c65469b-0378-4e57-b6d5-a43eec2c7b69" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2640cb47de607a8276c26e8a27f1150b</Content> </IndicatorItem> <IndicatorItem id="fd76a869-3acd-4e5e-a4b9-26cead229768" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea7309fa59e9347a0715f164edf6b200</Content> </IndicatorItem> <IndicatorItem id="5981123c-be20-4852-bd80-53887bd6e1d0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">02a2d148faba3b6310e7ba81eb62739d</Content> </IndicatorItem> <IndicatorItem id="b3ba2153-dd85-498f-84cb-fce518db3d76" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">37df1896ba54e85ef549ccc1a88d34ab</Content> </IndicatorItem> <IndicatorItem id="01c0595d-90ae-4973-b1bb-f7a5bf4cc987" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2af105519133baaee57c9ade00543de2</Content> </IndicatorItem> <IndicatorItem id="72e103af-aa68-4a48-8deb-d7982a113a2e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0ca6e2ad69826c8e3287fc8576112814</Content> </IndicatorItem> <IndicatorItem id="d1b2d48b-66f3-45ce-bf59-8ff8dfee1aa5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0cf8259502d178a099ab2852e2bddbe1</Content> </IndicatorItem> <IndicatorItem id="ddff18bd-d45c-4066-a5e6-ee509c1f8ae4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2a214ce037f5f6bb01ddc453f0265d92</Content> </IndicatorItem> <IndicatorItem id="1ba25759-0637-4361-a2e6-e00f96108434" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0e84132e5ad04351b644b8d8743fc4d3</Content> </IndicatorItem> <IndicatorItem id="15ec4e35-97de-4317-80ca-e29ab5690ea0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8412a3e37499f8289faf54546824ab61</Content> </IndicatorItem> <IndicatorItem id="c65de21f-c921-4ad6-8543-672db0ee4ad7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0fed203f3df6a82c9124f24aa3d9d75d</Content> </IndicatorItem> <IndicatorItem id="cdc07416-dda9-4ee6-961d-eb395d8aa546" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">106338ad223b84fbc2528a55e3e22302</Content> </IndicatorItem> <IndicatorItem id="ee7ba12a-de8b-4acb-a11c-f594d78a4a34" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">10a38dd9598cc31efe664cfaa8f37bf1</Content> </IndicatorItem> <IndicatorItem id="b8771f22-f1d2-4463-ae74-88d73877ef19" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">10bb5a8ae053e335fe047cf38db95452</Content> </IndicatorItem> <IndicatorItem id="c5f09ac4-1660-4b6f-8937-33777c039842" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">11d350127ff1e9ecd665c34326475584</Content> </IndicatorItem> <IndicatorItem id="d01ff7bb-1c9d-4f2d-a2e3-93a2ae7c74a8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">11dbecc954bf8a89d59407a992889cfd</Content> </IndicatorItem> <IndicatorItem id="104d1ce8-162c-455b-9b95-c9f6018ea13e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1224527e295380dce1ac9953c850ce97</Content> </IndicatorItem> <IndicatorItem id="ccd58757-ad49-4dc4-b512-11eca443e3be" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">129c6cd9d2aa895cf6fa137fa1d3a188</Content> </IndicatorItem> <IndicatorItem id="138cc173-f5bb-4c34-afae-990053f4cffd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">12a410d82a1fc9a8c18b350872e0d465</Content> </IndicatorItem> <IndicatorItem id="db75116b-1bf3-413e-a21c-ccf4688b7ff5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">12f25ce81596aeb19e75cc7ef08f3a38</Content> </IndicatorItem> <IndicatorItem id="1bdaae9c-3cb8-4e09-a694-f3afa52df863" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">13f0b56c28995e4efc8da784ad862853</Content> </IndicatorItem> <IndicatorItem id="6b1dc651-19bc-4ad1-9e1b-74c5ce9cbc98" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4227f2872817cfc74d134ee9f3d06d14</Content> </IndicatorItem> <IndicatorItem id="83e1f85b-23fd-425e-93d9-bbc2c37c400e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">753ec12f61c2f7c9a5763c9063a16106</Content> </IndicatorItem> <IndicatorItem id="93bf23a9-e338-4ecf-8388-06126c4d3cd8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">62bee50b480f6a6aa427a00464baf376</Content> </IndicatorItem> <IndicatorItem id="aa6dea2a-9056-479f-88ef-b0a3cbeaa455" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec3a2197ca6b63ee1454d99a6ae145ab</Content> </IndicatorItem> <IndicatorItem id="4a0ce12a-e900-4c4d-99d6-4b122731c360" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">268eef019bf65b2987e945afaf29643f</Content> </IndicatorItem> <IndicatorItem id="df910c86-06cf-44ea-8185-8c0c96e81f8b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6e442c5ef460bee4c9457c6bf7a132d6</Content> </IndicatorItem> <IndicatorItem id="abb7dbc2-f22e-4952-acf5-618febc53f4f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a40e20ff8b991308f508239625f275d8</Content> </IndicatorItem> <IndicatorItem id="30af6eea-cea6-4f14-b744-bf9a8f703f1a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bcbdef1678049378be04719ed29078d2</Content> </IndicatorItem> <IndicatorItem id="a372d9ff-4aaf-41d1-ba44-c6d033f505da" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4749f6336eb86b5fa7029661f88ded20</Content> </IndicatorItem> <IndicatorItem id="bce74167-9b44-4df0-a39f-3a3c7277e83e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f2693de8b687c20aca98bfc1c5aa5b38</Content> </IndicatorItem> <IndicatorItem id="cabd44e6-983a-4bca-a6fa-4c61fa033bdb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1fff3f96f53c5bbdd39eb2351f12549d</Content> </IndicatorItem> <IndicatorItem id="0193b5d9-b3bc-4900-a590-862b975a239f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9c03ab63a45d29aee90b72ae89f2f613</Content> </IndicatorItem> <IndicatorItem id="6879a73c-c49b-4413-892c-499134f0114d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f7c63592ffb87b81ce45c89d207e9403</Content> </IndicatorItem> <IndicatorItem id="d85d6ef0-4773-43a3-8e85-0216654f565f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">adb62105427567ddc11124fc27921c40</Content> </IndicatorItem> <IndicatorItem id="502db973-1af6-4bbb-a851-466c92105d2c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3a3e4bca1197e4abab03340ea97d718d</Content> </IndicatorItem> <IndicatorItem id="8be65eaf-2d7c-4e62-9bfa-17d9fd775ee8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea34b72cbeb07aaac2398704c3ca6b0f</Content> </IndicatorItem> <IndicatorItem id="4c462c80-0f77-4007-8f2d-a1f78c2afc81" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f0d2ad2002557a86ecc780bf938b6dfd</Content> </IndicatorItem> <IndicatorItem id="563bf0ce-e0ee-4340-b484-33ddf3f83eb5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">56a5d0575c0c712deb16f465ac888a65</Content> </IndicatorItem> <IndicatorItem id="746cc7d0-76e2-43c5-ae3d-ff6620621228" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f445b22897a27ac5852ee19589bea8c2</Content> </IndicatorItem> <IndicatorItem id="6b11ff12-d96c-4ae8-a2be-9fb5c59fa698" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">57f98d16ac439a11012860f88db21831</Content> </IndicatorItem> <IndicatorItem id="f0677089-a8c4-467c-bfb5-5b3b07babdd2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a2cd1189860b9ba214421aab86ecbc8a</Content> </IndicatorItem> <IndicatorItem id="477c3d89-6041-4b2e-997d-f61a4a31c005" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">effa99ea879e5be518f242d5820be070</Content> </IndicatorItem> <IndicatorItem id="c41366a8-2659-4319-bc47-09b215b7e8a4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bdc5e16aec2c3796fb879a5c260d6ca9</Content> </IndicatorItem> <IndicatorItem id="6b875024-ebe6-4ea9-8708-2ed280651413" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7704ad9e8e0e3d75075e4c294f698d53</Content> </IndicatorItem> <IndicatorItem id="b4dcbe3f-63e6-42d5-b10e-3f2f3c999e8a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bf80dbf969b73790253f683cd723fd71</Content> </IndicatorItem> <IndicatorItem id="976581b3-2c09-4da6-86cf-1b5546901bd6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5a728cb9ce56763dccb32b5298d0f050</Content> </IndicatorItem> <IndicatorItem id="aa4a91e8-493d-4b0c-9c99-af4ef5336a8f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8c6ece2ade2bfad3171c925baa64af50</Content> </IndicatorItem> <IndicatorItem id="c9215163-4611-4905-9288-4f7d732d3f55" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e24e889e826df04f552e0d133548b693</Content> </IndicatorItem> <IndicatorItem id="a4195997-7509-4b3f-b824-1d650217b5d2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">76bf44d7734ec8581e846a9f3005aed4</Content> </IndicatorItem> <IndicatorItem id="bb93c805-8268-467a-b4a2-64f40dfc1e23" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">839c8c06c4d81f523078b0d45d8250ff</Content> </IndicatorItem> <IndicatorItem id="671043a6-7b1f-414f-983e-03352d8f30e0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b3848edbabfbce246a9faf5466e743bf</Content> </IndicatorItem> <IndicatorItem id="cd95c08b-d8bd-4889-b4f5-b189aa7fb825" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9206ae65b685dc7ea1cf1ec02606de6c</Content> </IndicatorItem> <IndicatorItem id="a6c4ff07-6162-431c-ab3f-be5f8bab5c8c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c116f5f89e24c7de3ea9cae83b7fc829</Content> </IndicatorItem> <IndicatorItem id="e944fb78-bb15-4294-9480-17256f077d78" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">abff707cb54a6e5a9fcbb3fef74dbddc</Content> </IndicatorItem> <IndicatorItem id="64fdc9f8-7608-42db-9087-621fee4f55d0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2b732257d8d9f09560fdcb7d84d430ca</Content> </IndicatorItem> <IndicatorItem id="9ef95b84-db32-4ede-9140-656d6fb14e29" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d41c6005a75a6d28480d63f540d36c70</Content> </IndicatorItem> <IndicatorItem id="dda930ae-86cf-4a57-85c3-2d7020e3fb9b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">41bb847963a8fce70ad21e70dd786107</Content> </IndicatorItem> <IndicatorItem id="851205be-9d18-44dc-8873-d3852894368d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6ebbfa603aa4e90148ad0b726806c359</Content> </IndicatorItem> <IndicatorItem id="2625b006-e1bd-4f59-902e-9b9a9012424e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9e30b1665077b7e65bc8ff1e7c752306</Content> </IndicatorItem> <IndicatorItem id="15a688c1-a8f7-4656-9d3d-e7b7a677e85d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0fbdc6e3f79063a4773d4872fa1f15d1</Content> </IndicatorItem> <IndicatorItem id="f2bfc2f7-7b56-496e-9d9e-b33a5eb0e257" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">eef80511aa490b2168ed4c9fa5eafef0</Content> </IndicatorItem> <IndicatorItem id="5552cf1b-0cb8-486e-9f40-3ab0205d45eb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c53332a5bf112f03ed22b06d85140626</Content> </IndicatorItem> <IndicatorItem id="011db5d9-e228-43d5-ae55-bc81bf98311c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7cb055ac3acbf53e07e20b65ec9126a1</Content> </IndicatorItem> <IndicatorItem id="2d52025c-6954-41ac-8350-aa7574771ccc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d74b169e98dd16d0f3af0dc770dffac0</Content> </IndicatorItem> <IndicatorItem id="2f375642-db88-42fc-8394-00f58e27aa90" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">71173ad2bc7b39342b1bdaadeaaa0d8a</Content> </IndicatorItem> <IndicatorItem id="f5c8c285-db9b-43c3-bcdb-44030d13e7bb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">55bd26326db3d512b6bd9f75d6671819</Content> </IndicatorItem> <IndicatorItem id="aee33872-838c-48a9-9a65-87ea320d3ba0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4e3ddb5c27e45ee0e6dcc02e87b0abb5</Content> </IndicatorItem> <IndicatorItem id="1dd90fa1-59f7-4561-a9a3-7cc8653488ee" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b0d4fbcc0c65c7d5ef7e1c4309c719cb</Content> </IndicatorItem> <IndicatorItem id="2a628575-8096-4a5c-bfce-ab3e3f6bff20" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e4be1e46775081b1d5405b3dd7dd1c64</Content> </IndicatorItem> <IndicatorItem id="ecc5e067-1ae0-413c-82f0-1a2faf521d06" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ba0c4d3dbf07d407211b5828405a9b91</Content> </IndicatorItem> <IndicatorItem id="3f36b356-9c91-43aa-b829-96aa877064af" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8e8622c393d7e832d39e620ead5d3b49</Content> </IndicatorItem> <IndicatorItem id="58ae957b-fd63-4a25-912d-a8c1de6b6da8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">18e5ef23b634344321b2b3f5fa80a598</Content> </IndicatorItem> <IndicatorItem id="107c4f67-380f-4346-8cff-12ff38beff29" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4d21cc82e4031e1d6bb15541827b9e67</Content> </IndicatorItem> <IndicatorItem id="3b90b833-c8d7-4ac5-bf2d-8f8c1e9e6393" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ff085d421518772ce2df75282363279f</Content> </IndicatorItem> <IndicatorItem id="2153595f-b315-4b51-b5f9-362545a09116" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fae6eaf695af058af4b8dfee0709bf51</Content> </IndicatorItem> <IndicatorItem id="fa8b9841-e5a7-4a62-b963-cd2a010423c4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2c78d8bb5912d8174042f81197d9b449</Content> </IndicatorItem> <IndicatorItem id="a91a6c5d-2f12-439c-a4ca-7a815a8af6f4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">28e64dfeab48030bc532ae4ace2c9e4c</Content> </IndicatorItem> <IndicatorItem id="9f90a5ae-3d83-412a-926f-9e6286f39ada" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">47e7f92419eb4b98ff4124c3ca11b738</Content> </IndicatorItem> <IndicatorItem id="7d0cf1f1-d405-4899-8d4c-eedb4294619c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fe8ff84a23feb673a59d8571575fee0b</Content> </IndicatorItem> <IndicatorItem id="235f4d5f-ac14-43bd-b339-2c10a1cba74c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1b36190794516da078decaff881d9864</Content> </IndicatorItem> <IndicatorItem id="406bf6b6-5f28-4a0b-9d53-7965c71e90aa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cc17fe9f2d254ad28d050bf5c1df983d</Content> </IndicatorItem> <IndicatorItem id="2856378e-1bc8-4803-8f38-d0a71c514b8a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dbdd2a9c86e71ba0c9953ff4f89cc25b</Content> </IndicatorItem> <IndicatorItem id="2e71e0ab-9698-4ea2-af45-3298d113d4ee" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">77382bb7fd431211b32d84d4de74b043</Content> </IndicatorItem> <IndicatorItem id="ad323f66-7ce8-4e19-8be7-0512f116d904" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d751c7f7d2eab52c43ab31312e229307</Content> </IndicatorItem> <IndicatorItem id="a3f38876-8b2e-41f4-ad4a-a888d8765396" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c2a79bb15a31fd6584d9bf0891673d14</Content> </IndicatorItem> <IndicatorItem id="232f108f-4dd7-4125-a359-42b8211bda79" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">33d974011c4b047bf9874a71ba261a11</Content> </IndicatorItem> <IndicatorItem id="0e1c72b5-3b5f-413a-a09f-8b10c427da94" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a28ee614e3d783a7561cf8a5a469959f</Content> </IndicatorItem> <IndicatorItem id="f8bf4f08-aa74-401c-b7cd-64258bcf842a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cd2102c5db1ed828a9c196448c40af3e</Content> </IndicatorItem> <IndicatorItem id="e3c8c1c0-41f6-4e16-b84a-20d5a3704c68" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a039a61e4c274811b0388aa517d29fbb</Content> </IndicatorItem> <IndicatorItem id="67832c9b-400f-4ef7-a937-c095bf005930" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f4f8067d501bfef385274912d2a833b5</Content> </IndicatorItem> <IndicatorItem id="ec09392d-30ec-499a-8d51-3740c3bb8977" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">351afebaf03ef12e6ad1b412612d0c53</Content> </IndicatorItem> <IndicatorItem id="995c2b05-2ff3-4d72-9191-468685bc4083" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fab7c555a511f4d4e318817455bbb75a</Content> </IndicatorItem> <IndicatorItem id="3bf8ddd5-ea93-4583-8315-6e7f541c0f25" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c7b48b6965642b504f6f36933762df8a</Content> </IndicatorItem> <IndicatorItem id="e1a3765f-07f0-452a-8c85-2a8f695d233e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">da383cc098a5ea8fbb87643611e4bfb6</Content> </IndicatorItem> <IndicatorItem id="4c582b32-dd15-4846-bfd0-10849ea84b96" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">76f6c7301dbf0219eae991d65804292a</Content> </IndicatorItem> <IndicatorItem id="8eaf6266-a888-44aa-8e99-2a5996800de6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">15901ddbccc5e9e0579fc5b42f754fe8</Content> </IndicatorItem> <IndicatorItem id="64d6efd1-9d30-43e5-b19d-5a566fe24e33" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9d8a7970be7826d29732817c0cc84bde</Content> </IndicatorItem> <IndicatorItem id="ea553c08-c6b6-44d5-bc56-551272a5f02d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">acb99e5318f7001298df1aef51a9463e</Content> </IndicatorItem> <IndicatorItem id="b30a0d82-77ba-402d-b7ee-57bf5fcd3210" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">da60673b4f2a4660d2734a16a832282f</Content> </IndicatorItem> <IndicatorItem id="2340c5fe-d2a9-4f76-9e7c-6e311434ecd1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ca3ca9ec20474d07fc798f2b41e2625</Content> </IndicatorItem> <IndicatorItem id="742493b6-9811-45db-98af-ec037cb8bec8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1fb4ce2e56ced51ddf1edff8ed15c21b</Content> </IndicatorItem> <IndicatorItem id="266ccf83-4261-4cd1-94b2-c708e3cde982" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2198fea94bb79b001fcfd3e03b269001</Content> </IndicatorItem> <IndicatorItem id="43394133-3171-4225-bf3f-4e54f5aa09cc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bf0ee4367ea32f8e3b911c304258e439</Content> </IndicatorItem> <IndicatorItem id="a6782aed-077b-46c2-b353-b0bdac060e1c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">966db6a32ccf7e57394706abc3999189</Content> </IndicatorItem> <IndicatorItem id="d5df9e4a-240a-4167-afcf-77904047b580" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6846ad52c9208830ceaf4cfd81402015</Content> </IndicatorItem> <IndicatorItem id="d594ae76-2ea7-4e97-9c12-6c6fec436714" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c8d2b7f92fff545b3b19e9b1e1057071</Content> </IndicatorItem> <IndicatorItem id="988e9f00-1ca2-46dc-827b-c941b7b064c7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6e8f302794cfaae731840e345063e652</Content> </IndicatorItem> <IndicatorItem id="22f5e5ee-a879-418c-8a93-68431d0820be" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ef349196b0ffef5a02d30413c8dffc7c</Content> </IndicatorItem> <IndicatorItem id="23aa48b5-3860-4878-a577-e999f54db61b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">80856bd8ef7d5dbc3dc774f581855549</Content> </IndicatorItem> <IndicatorItem id="22b46407-6ff7-48e0-8fec-36198765d91c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f65eee78ac150924cd37c7f1f3c96518</Content> </IndicatorItem> <IndicatorItem id="0dcfeba9-56b4-42ac-bc6e-9afe16141c14" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">76ba06bac23a2c445cb982bf38b82199</Content> </IndicatorItem> <IndicatorItem id="b815e8d1-0ee2-4487-9c10-b5fd3790901c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0829207a8400e2814990f79fbdfe7f4d</Content> </IndicatorItem> <IndicatorItem id="4cc76b8d-04e8-4b1a-9e6e-ef766724ffab" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e22f2e9ee73ab8b12ee5069f7e39a615</Content> </IndicatorItem> <IndicatorItem id="b2e338dc-bbb1-44ed-9e59-2731e237986f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7aef47f9fd84669976c4b152910a6328</Content> </IndicatorItem> <IndicatorItem id="1ef89454-374e-412c-b0a7-6a6fda1c28d1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7ab86c938b960dfc0c4ffbadd4163666</Content> </IndicatorItem> <IndicatorItem id="e5f8c37b-65b1-4de2-aeed-149c90738052" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2fccaa39533de02490b1c6395878dd79</Content> </IndicatorItem> <IndicatorItem id="6c17777c-cf7c-47da-ae7f-7a68a33a3b52" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b3bc979d8de3be09728c5de1a0297c4b</Content> </IndicatorItem> <IndicatorItem id="c39109a7-484f-4e82-9ee6-54407551d4dc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">270d42f292105951ee81e4085ea45054</Content> </IndicatorItem> <IndicatorItem id="d29a1aa7-d719-4494-8ccf-fd52ae9a6bce" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bebbbc50a561681f48d174d6b7c2824e</Content> </IndicatorItem> <IndicatorItem id="67f0c320-9f3b-4db4-a480-97284a4f3697" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d52f35c4c9dbda4c94164291df8a2724</Content> </IndicatorItem> <IndicatorItem id="7d01965d-d4fa-41a6-a085-93c853927b70" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5c4806b5859b35a3df03763e9c7ecbf6</Content> </IndicatorItem> <IndicatorItem id="b6679020-8901-43e3-8178-444bc67df5c3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5e17055c51724b0b89ff036d02f5208a</Content> </IndicatorItem> <IndicatorItem id="adc011ca-4091-43a8-8f9d-f7de0a482878" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ad3cccbe9ddff04b670d353b938f5da9</Content> </IndicatorItem> <IndicatorItem id="1864f777-bdb1-4fb8-bc4d-7c02e6b05c40" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">88b5f635ac9031bcdeda1f751952f966</Content> </IndicatorItem> <IndicatorItem id="bbfaa6be-5d52-4e50-921c-6cf6ba19feea" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5aeaa53340a281074fcb539967438e3f</Content> </IndicatorItem> <IndicatorItem id="7320ff60-0357-4ec4-8039-12a6c15ef11f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7bfeb0eaa1c51513e60bc0abafb1be9f</Content> </IndicatorItem> <IndicatorItem id="1237a856-97ed-4f3a-8247-66021139e0ce" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c044715c2626ab515f6c85a21c47c7dd</Content> </IndicatorItem> <IndicatorItem id="ac58fd01-8142-45a5-9e80-7193362ea4c0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">07c4032f24ae44614676fbdfe539afe0</Content> </IndicatorItem> <IndicatorItem id="6e58b715-3ccb-439c-b52d-3e05e9628add" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">341f5e7215826d07ada1ed2b96264c0d</Content> </IndicatorItem> <IndicatorItem id="01e68200-32c9-4ede-ab08-dadb78622d43" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7c82cd17b0fa420f09f97e060621ed7b</Content> </IndicatorItem> <IndicatorItem id="c6a2a34d-c377-432b-ba6a-17c24b8fba9e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">39e28f48c138dc156d1436fd02222e45</Content> </IndicatorItem> <IndicatorItem id="8f9353f9-5455-49a8-a2c8-ab82fb50e13a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e65c0b3f4dd2f3c9f728077ed1e48f7e</Content> </IndicatorItem> <IndicatorItem id="b9f49549-e2d5-4a57-9cee-31dc460c6d61" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">91f538c08b9dee1bb0c6b6c82f727c5d</Content> </IndicatorItem> <IndicatorItem id="39bcba25-04ef-4085-8f25-7fa4fb851af4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9e511dc5ad8a884f4416e68c54f742e1</Content> </IndicatorItem> <IndicatorItem id="b5069f8e-f98f-4023-a8fd-c9f8e22ecce0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">55f60194833efcbc8ac16bd0a1cced1a</Content> </IndicatorItem> <IndicatorItem id="075f433d-0494-43ba-b728-988d8258f8c9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c763e041c8e85c195ade90e120338be7</Content> </IndicatorItem> <IndicatorItem id="6a2bd203-34ac-44b4-afd9-1a36b3ccecf6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6fdec862951e8b128cd7a07b2031eef6</Content> </IndicatorItem> <IndicatorItem id="a7bc9f0d-56cb-4563-bc1b-e140e602cf72" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">471005f73280264c48f769e1c21fbcc1</Content> </IndicatorItem> <IndicatorItem id="d99875e3-2e4f-4cd0-87a1-b9c01bffb319" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2fae9efa753d3d821e1efdbc1335b966</Content> </IndicatorItem> <IndicatorItem id="d6d97470-7ba3-45d1-a47d-cec22a5e7127" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">435991e0c67f0c0b4504355b6d4493f0</Content> </IndicatorItem> <IndicatorItem id="abba48fe-9d40-44b2-9c45-f104a23aad96" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8913ac72cdb8afd98bd8446896e1595a</Content> </IndicatorItem> <IndicatorItem id="5c2d0406-23b4-4e7c-aac5-2005bbf24476" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7253de652a025b2b4fa7b02e97a1ee6b</Content> </IndicatorItem> <IndicatorItem id="0af3a04c-ec24-477d-a66c-bb4294c8c04c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9df30198f52b16925db1e3da61cfc754</Content> </IndicatorItem> <IndicatorItem id="c289bfec-8828-4e95-8ab8-76826afbd6a5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d776379bda9fdf695d6a54db8a5b4c72</Content> </IndicatorItem> <IndicatorItem id="86212698-a237-41d2-8f60-4c2dcf0b5504" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a70aaf335f7f1a04c7fe194602b11c14</Content> </IndicatorItem> <IndicatorItem id="fcdccb0a-c867-4f14-ba94-c1a2e21da423" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ba10b9486043f76bb9e9a160bc1d2576</Content> </IndicatorItem> <IndicatorItem id="3ceeb576-730b-46c7-978d-a14c53d8eecf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">648ce1c45927b24563dd8361a1b74311</Content> </IndicatorItem> <IndicatorItem id="e38947bf-8ad0-46eb-902e-6bba805eb1c4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">177e0270f25a901c216ffb2e7a36e5b1</Content> </IndicatorItem> <IndicatorItem id="e1d4b562-5eed-4bbc-a46e-5f8601b707d5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3441cbdf8de9472c19b021b241429b22</Content> </IndicatorItem> <IndicatorItem id="aa61b320-9f15-44db-b258-50c70b1dc9be" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3120fc8630c5252002f26f6e11b09eca</Content> </IndicatorItem> <IndicatorItem id="4b47e6a7-8ea3-4dd6-b2cb-ae81bc1b34be" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a6725f263daf3e94adc3668751b909d0</Content> </IndicatorItem> <IndicatorItem id="ff7ba23f-cbbd-4cb2-b38a-69d537149ede" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ce003a75c85627cbc7e6eb39beff0722</Content> </IndicatorItem> <IndicatorItem id="f256b4cc-da34-47fd-ac26-0a9ea37beeb8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cb15768a3e5c86d22289dcefec56d8a2</Content> </IndicatorItem> <IndicatorItem id="e3102e66-7434-42b0-a0c7-a885c0d0c776" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8bf9698c18b2aa23f71444af2571a6ad</Content> </IndicatorItem> <IndicatorItem id="59f243bc-817f-4d2b-9ca6-c3720e6cd19d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2acfc925e66e1b820a67c4d0f3e6ae8c</Content> </IndicatorItem> <IndicatorItem id="60ebd784-a5d9-4a07-99ca-8c6cfa5cae49" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0c28ad34f90950bc784339ec9f50d288</Content> </IndicatorItem> <IndicatorItem id="d845fd40-b501-4abd-bd5f-8f5489b967fb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">56dff5cdfee293100b59096326fb0daf</Content> </IndicatorItem> <IndicatorItem id="6d5a329b-8eb4-4f9d-9a50-3c9daaa1f6dc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4ad4258b73430fc3e843a2e59d8ee70a</Content> </IndicatorItem> <IndicatorItem id="57874f70-3316-4391-a138-6670cd7199ff" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">51ce169debea41314f591290839fd55f</Content> </IndicatorItem> <IndicatorItem id="6c938702-2897-471a-8dcf-bbcba461ddf5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">62c72767508e461cfe94b0c706e6d446</Content> </IndicatorItem> <IndicatorItem id="0873a202-81e5-4558-98fb-2135116c11de" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">88dbcc682635b4013bcba5ad28bb976b</Content> </IndicatorItem> <IndicatorItem id="b9e94bd8-3f1b-4fb5-a872-b0b941450091" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">876ee736ebad6917a259456fc3a2f11b</Content> </IndicatorItem> <IndicatorItem id="ae13ea96-242a-4257-8b2b-29246951cbeb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">24fefb8b9338e2300308260be19bbaab</Content> </IndicatorItem> <IndicatorItem id="e53f6059-c079-4fb2-a032-aab87404f472" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">769aeae232c6162cedcb6c7255640c4c</Content> </IndicatorItem> <IndicatorItem id="21f21534-d37e-4309-a349-500e5e3b3e76" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">68af7be698e8a7408451c158c04a9712</Content> </IndicatorItem> <IndicatorItem id="013bfa26-7131-483c-a482-bd7ba4c3f2b2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bcdf8cb0868daaec3ba6176e3e7d3cfc</Content> </IndicatorItem> <IndicatorItem id="e3453288-e183-4442-a1ea-9c9fbda12df0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5ba1ed651231be5e7eb9d7b92fe96d64</Content> </IndicatorItem> <IndicatorItem id="79c61b66-082d-4d30-bafd-3f158fd79bc1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8462a62f13f92c34e4b89a7d13a185ad</Content> </IndicatorItem> <IndicatorItem id="8b27ec1c-e84a-4154-9e8c-83db21293eff" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">580a4c05982accc678a72c366b45815d</Content> </IndicatorItem> <IndicatorItem id="482d80c8-9f63-41c6-a77e-58022b4d72ce" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9a66fa24268d158341d497feecbed889</Content> </IndicatorItem> <IndicatorItem id="c9f2c97a-d563-46fb-936e-3c7a60afa8c6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e43040ede0645a38ea5a35c26192126f</Content> </IndicatorItem> <IndicatorItem id="c44845ef-f727-4e3d-8c4c-0912bc197dc8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">db05df0498b59b42a8e493cf3c10c578</Content> </IndicatorItem> <IndicatorItem id="09c111ba-6d61-478c-bcc1-35895d0f8f55" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">898a8a43c8708961094944fb42c278ab</Content> </IndicatorItem> <IndicatorItem id="bf6662c5-dd5b-4fb0-acfc-b802a2625843" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f1db65d3c48ad5a9d1576aefdca036d1</Content> </IndicatorItem> <IndicatorItem id="c9c1844f-52a9-4c31-b146-36a412efa812" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cc3a9a7b026bfe0e55ff219fd6aa7d94</Content> </IndicatorItem> <IndicatorItem id="9ca96c25-f428-4e0b-821a-b79f96cfef31" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">649d54bc9eef5a60a4b9d8b889fee139</Content> </IndicatorItem> <IndicatorItem id="6c126c3b-10de-41e8-8771-e19dd5e08216" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e69945e5865ccc861f69b24bc1166b6</Content> </IndicatorItem> <IndicatorItem id="9a35ae88-657f-4d17-a3b4-24ab2c431b9f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e3e6fe1a8c6ffc00a9c644997a4f7a1</Content> </IndicatorItem> <IndicatorItem id="d5b8426d-d3dc-4472-af8b-5de756754fb9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">51326bf40da5a5357a143dd9a6e6a11c</Content> </IndicatorItem> <IndicatorItem id="9453a5ae-4a32-49a2-a126-f02a2f199d86" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bd8b082b7711bc980252f988bb0ca936</Content> </IndicatorItem> <IndicatorItem id="a46890cd-0547-4896-91f2-9be7c932c03e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">73a63c21a08b0ad2c69999e448f8e6a1</Content> </IndicatorItem> <IndicatorItem id="b1cc9530-8f56-45bb-b946-33996df735e0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9d1d58e370bea4b5e79a1f914516cbc0</Content> </IndicatorItem> <IndicatorItem id="e70825c8-f40f-4074-8eab-706528fb57a4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7d3140bd028f70f1fa865364b69c5999</Content> </IndicatorItem> <IndicatorItem id="8cca6a84-4be2-4990-ae4b-3d8c799712b1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ede2c69d50e0efbe23f758d902216e0</Content> </IndicatorItem> <IndicatorItem id="dd1e0af7-97b2-48ec-b096-1da579987940" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">98cf219830733fb98fd2a957b7c4b163</Content> </IndicatorItem> <IndicatorItem id="66fc18f1-5bb3-4b0b-8e16-0d6634567a91" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d60ee4a39667a733c075bb7f7b36285a</Content> </IndicatorItem> <IndicatorItem id="a11449dd-8dea-4997-88a5-57a7815eaec1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">277f95bff2e0fe317f86b5010bd83a18</Content> </IndicatorItem> <IndicatorItem id="ad056220-959c-43a3-9e13-e0069d60e741" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dba356a4726b94731e6ea97aa73cfc3f</Content> </IndicatorItem> <IndicatorItem id="f92259e5-740f-4ba5-9f34-a2bfbc25b38a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6fbf667e82c1477c4ce635b57b83bfa0</Content> </IndicatorItem> <IndicatorItem id="deb9172e-0195-4900-a952-251a5982fe10" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0141955eb5b90ce25b506757ce151275</Content> </IndicatorItem> <IndicatorItem id="60d71b38-1bb4-40e8-8a09-7a3325e5f6d3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">67f62f5accfeacf5e828c3b3905248fe</Content> </IndicatorItem> <IndicatorItem id="543b862d-20a0-4ddd-bf50-730d14794a17" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1fad25d4fef631f8ec3115e0944e4621</Content> </IndicatorItem> <IndicatorItem id="3a9e4b9f-ac93-4bf2-ba34-86c09270c779" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3c4066b252722c873348d43b4c3ec0e5</Content> </IndicatorItem> <IndicatorItem id="dfd4c462-94cc-457d-b93d-51284a42f00f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e0fc0fae758d7c6091cdb11d5ef98e0e</Content> </IndicatorItem> <IndicatorItem id="547535a3-8d8e-4a5a-826c-978f86c38abc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4111fbc14558385c10091543c439264a</Content> </IndicatorItem> <IndicatorItem id="7a6e0eae-26e3-49fd-8612-208bf903c3f1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">98409dbf432419024dbf028c004344c1</Content> </IndicatorItem> <IndicatorItem id="c39ab5e4-4523-4190-8b6f-61644a226259" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">56892b0befe8b7a188fdb7e72a07e60f</Content> </IndicatorItem> <IndicatorItem id="54c1ce11-02ee-40ca-8c76-5f1e06a97ec5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7e8d1f26679a88268e273ab498e597f4</Content> </IndicatorItem> <IndicatorItem id="7acdc274-2791-435b-b0c3-e969c6afadbd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d9c4ebd61c1aee52b3597aae048a592f</Content> </IndicatorItem> <IndicatorItem id="f0509b94-ea0a-42c2-9a43-f02a27d87364" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a8b183fe32ad8d426e20227f3c8b7592</Content> </IndicatorItem> <IndicatorItem id="1a30f225-911a-4acf-ac17-57a8182f53a4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5cd7526fc7d849cbbf8c9d1ffe97a991</Content> </IndicatorItem> <IndicatorItem id="b4e62d91-92e2-4f51-a8ce-57e666f88222" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e6ff0431a9a9028808efc582405ea7df</Content> </IndicatorItem> <IndicatorItem id="90797ae1-4b08-46ae-b910-69fb9d68387d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">255cd53f9bdb6f3755e621885cb34382</Content> </IndicatorItem> <IndicatorItem id="d7e82ff8-5c31-4e30-b498-0743e5c3bf57" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b63452ecd2da62f30923a124bcd41b45</Content> </IndicatorItem> <IndicatorItem id="eb2159d6-c97a-48c5-a72b-5c722dfceba6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7a2692cafec377c444bc3147fc43e57f</Content> </IndicatorItem> <IndicatorItem id="c3d02108-1bd0-4004-a837-26cdb2613514" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1f9b32bac55ba4c015181ebf55767752</Content> </IndicatorItem> <IndicatorItem id="0c74c9f2-f4e8-40ef-b3ed-ba334f8d90f5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">71536d2e95420c55412c12dffea1a0a6</Content> </IndicatorItem> <IndicatorItem id="3b975e54-055e-4898-bab4-924386d95602" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7acb0d1df51706536f33bbdb990041d3</Content> </IndicatorItem> <IndicatorItem id="726d364f-c99b-4b39-99fc-93bf0bfadfaa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2e8484f59899046452392c236460ebb6</Content> </IndicatorItem> <IndicatorItem id="8de3ccee-3f41-4792-9fda-4dfe3e8b60b9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6040dd5b603483f738be6a02a63538f2</Content> </IndicatorItem> <IndicatorItem id="6c66736d-98dd-4a9e-9161-0ef06daa1418" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3ea7bf3b469499f0f6d4a78af865138f</Content> </IndicatorItem> <IndicatorItem id="7e966924-f0e0-492c-aa2e-a3df31a0f6c8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e7f728e3bce0e59c3ba973545a3b3a92</Content> </IndicatorItem> <IndicatorItem id="eb591111-aba4-4daa-941f-d58d55c9d05a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d197c388184fef263b7944a7186bc6db</Content> </IndicatorItem> <IndicatorItem id="1e45003a-afa4-445d-87e8-9cf9c4d797b7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5cf0959687427850a92d7f69edd41b86</Content> </IndicatorItem> <IndicatorItem id="a78f87f8-e80d-488f-92e4-61345d003058" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a517ca12e2648b0590a5af565f8346b3</Content> </IndicatorItem> <IndicatorItem id="61322e9d-1845-49dd-8011-36b73a6cc97b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2d57aa4e7f2f4088f1b96313b24c7602</Content> </IndicatorItem> <IndicatorItem id="ac0668a3-2f35-4119-abe1-eb8cbbfe3b44" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8d81eeaeb0bd74a1faab257079452078</Content> </IndicatorItem> <IndicatorItem id="a8cbfc21-a3eb-4bde-a685-a0f1e5ea2a5e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea502cd3504e74bac454835bd23e019b</Content> </IndicatorItem> <IndicatorItem id="b003b81f-58fa-4d3a-a149-f20a987dbf81" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9f3fbec4341f246aa6131ab01d6e4234</Content> </IndicatorItem> <IndicatorItem id="bb1b6053-253e-47f2-af14-bbb5584acee0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d3358ed4001ec0366fa23fe82759df2a</Content> </IndicatorItem> <IndicatorItem id="67831879-a87e-4ed3-b410-af2d3190aad8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">620c6a6cff832e35090487680123f52b</Content> </IndicatorItem> <IndicatorItem id="969f2799-1c38-4a57-b00f-30680ad1474d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5790c7c09735cf1ccf10625c7cd87f5e</Content> </IndicatorItem> <IndicatorItem id="b3c89c5b-0588-41a4-9e99-0d223bbe0043" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cb3c5c3f53ecb2cb656fb0f4b8de03f6</Content> </IndicatorItem> <IndicatorItem id="eae43782-fdbd-4af9-9483-1cef334fc95f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d262cb8267beb0e218f6d11d6af9052e</Content> </IndicatorItem> <IndicatorItem id="9e89610f-6237-42cd-8d4a-ec3239eed773" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dcb90efe7e09d6900242af25aeca7b73</Content> </IndicatorItem> <IndicatorItem id="fdf1edff-ce6f-4481-87d9-a7856db3edf4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">855ca1b45a247754ad91d50827a2e16c</Content> </IndicatorItem> <IndicatorItem id="4254f78c-b1a6-4259-9375-0a08b3f6f0d9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">46c36c11238100e155f6d418332869ea</Content> </IndicatorItem> <IndicatorItem id="ae01e667-05df-46d9-9e88-28be9e6f8987" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea47431d832faff7802710dae0abb0d3</Content> </IndicatorItem> <IndicatorItem id="b063a250-8baf-4a76-ae59-be117722fe44" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c0134285a276ab933e2a2b9b33b103cd</Content> </IndicatorItem> <IndicatorItem id="2ee42f88-4abc-4e9b-be34-8a6a12118312" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5d8129be965fab8115eca34fc84bd7f0</Content> </IndicatorItem> <IndicatorItem id="ce82121f-ed9a-4547-a1cd-58dc5aab5d7e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bac2e89bd92ce23e1e93a63d26dea01a</Content> </IndicatorItem> <IndicatorItem id="bd7de4ce-a919-4346-9fcd-3913b2a6c704" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ebf8eebe3aa218dea5e3f0b2222267b0</Content> </IndicatorItem> <IndicatorItem id="2a434183-70dd-45ab-b559-94bbd86da2a1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8c9871a9eb88ffc43507f988b222dc52</Content> </IndicatorItem> <IndicatorItem id="fd0e3b02-30f2-4009-a904-2778f8d4d2d9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f1eea61e49a3f86e95836d1c9f67e074</Content> </IndicatorItem> <IndicatorItem id="1037388b-59f1-4e4d-88de-a48cfde1f528" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e1b6940985a23e5639450f8391820655</Content> </IndicatorItem> <IndicatorItem id="58794dea-47d1-42ce-a362-54886bd93a06" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a1cb8a9f2b8926afeb254a64f1d78ee3</Content> </IndicatorItem> <IndicatorItem id="6b2bd2c6-fe89-41c8-ada0-fe460773cfc8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c4c638750526e28f68d6d71fd1266bdf</Content> </IndicatorItem> <IndicatorItem id="8afd245b-da29-4682-bce9-6e559f10398e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">28dbd86bd86eb9153ecb20d883c41ae0</Content> </IndicatorItem> <IndicatorItem id="8860ddfb-79c0-443a-a7d6-bb1dde02d8d3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bf0d5aff9c1f33e089c9c85f03c6ba8a</Content> </IndicatorItem> <IndicatorItem id="a30e7405-19ee-4e22-915c-cd086583820b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">57326cd78a56d26e349bbd4bcc5b9fa2</Content> </IndicatorItem> <IndicatorItem id="39570278-1742-49e8-8621-08c160bd6190" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a8f259bb36e00d124963cfa9b86f502e</Content> </IndicatorItem> <IndicatorItem id="e6f22710-6cad-4a43-a4b1-43e5c1e9e4f7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bca9bd0abbb31a422458abf521a6a2fb</Content> </IndicatorItem> <IndicatorItem id="24481fe5-4bd0-4a6b-8ed9-af76d7f951c2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">150c95865766c2dd0562e7bedb6db104</Content> </IndicatorItem> <IndicatorItem id="7f7ae7ac-2648-407f-9a35-ab01e0c60f28" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d4c1bfc5cd3e33643a562696d5d29bf2</Content> </IndicatorItem> <IndicatorItem id="171f1310-70e2-4a89-abb7-97b9ebffbaf1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3fb8f4cdcb4d1d48be2e473fd8727239</Content> </IndicatorItem> <IndicatorItem id="51717d97-5ea0-4b1c-a587-3b79b830a4ab" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">33de5067a433a6ec5c328067dc18ec37</Content> </IndicatorItem> <IndicatorItem id="a277c190-aa06-43b5-9d91-bec23be44b0a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bcb087f69792b69494a3edad51a842bb</Content> </IndicatorItem> <IndicatorItem id="006bfdc9-b5ec-41fe-8f56-b9da46952db6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4a2320b41a5216c741bf63fce562961a</Content> </IndicatorItem> <IndicatorItem id="5dbd6994-6619-4b36-8834-6ab44b492e9a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">59620925bf1c4f760c4bf225c7efd6c0</Content> </IndicatorItem> <IndicatorItem id="01eea5a1-0159-4488-b4a0-9f831145674b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">438983192903f3fecf77500a39459ee6</Content> </IndicatorItem> <IndicatorItem id="ae3cf14e-3fdf-4f13-a659-c07ad3e592cf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b2599b3078c28a278a3e7cd8b46304da</Content> </IndicatorItem> <IndicatorItem id="c1d91812-c5e5-4ec3-9489-6ebef62dab2e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">543c283d691939d99667e22bcb7be610</Content> </IndicatorItem> <IndicatorItem id="fa7e328c-ebb8-4681-9c53-2fb0e20321de" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c0a494e643c42a89d5bf718ea274df04</Content> </IndicatorItem> <IndicatorItem id="3b5fe187-58a5-4897-a335-37f1193ccb8a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">77afced93e20b1bb906796197fa1dd1d</Content> </IndicatorItem> <IndicatorItem id="7359cdd0-ab54-46b5-8907-7ca8cd972127" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">da6b0ee7ec735029d1ff4fa863a71de8</Content> </IndicatorItem> <IndicatorItem id="931a94fe-1d78-4a8d-a8cb-4d2c5f869067" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c65617a4eedb8e0369ef8fe58ce20a02</Content> </IndicatorItem> <IndicatorItem id="5f304b83-aa6e-492b-bc4a-f61fe8dce5b9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bdd2ad4c0e1e5667d117810ae9e36c4b</Content> </IndicatorItem> <IndicatorItem id="1ba67c3d-c6ef-46ec-b38e-17b031680d47" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b9b3673a721578b230490f7dfc6df21e</Content> </IndicatorItem> <IndicatorItem id="d287fcd5-2554-48dc-ba28-e5a5ce9944bd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7ce16b35201d8d35965ec7aeebdc80ff</Content> </IndicatorItem> <IndicatorItem id="49392184-f0bc-46eb-a73d-242f1eb2a7b1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">36a7c3a6460c98e161e1005c925da0b2</Content> </IndicatorItem> <IndicatorItem id="d4805982-be75-4135-8745-0a8ff3f3b6fd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2ef062fa86537db34f5907a9775664a1</Content> </IndicatorItem> <IndicatorItem id="8a2e9a48-b639-46f9-95a0-f9555491d464" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ef8e0fb20e7228c7492ccdc59d87c690</Content> </IndicatorItem> <IndicatorItem id="cc7d886a-6029-4024-a9c0-34f4e628e6af" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">15d1330be5e27f6f51d011b0575ffa05</Content> </IndicatorItem> <IndicatorItem id="df53106c-1345-4621-91bf-561c1ba9a1d1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">52509abd1cc7b7fb391b19929e0d99c0</Content> </IndicatorItem> <IndicatorItem id="2ec036c0-6d37-4da0-81d1-afa391b08e29" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fc89424a2d33ea5af3f49b02e743773b</Content> </IndicatorItem> <IndicatorItem id="78457191-42df-4f1f-9aa5-86e8dec6c27e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3b0829e2e966dae17d4c235893a3ae8a</Content> </IndicatorItem> <IndicatorItem id="ef2d888e-970a-4e01-9471-be05f7c65629" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">37e7dc80c1eb618b3cd1b442858afa60</Content> </IndicatorItem> <IndicatorItem id="0d9c5aa6-7fc4-4557-864d-a45e13ac7d9e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b631a3d832f7c22c26554711188f59c3</Content> </IndicatorItem> <IndicatorItem id="6a1f12ac-e74a-4c2b-b7f0-dab357718c4a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3c1b2fabb7d74bc5be0820eae4107f8a</Content> </IndicatorItem> <IndicatorItem id="0f231d6b-482d-4ec8-abac-11560a6bd0ec" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fc50743af221ccbff7b7c7ec378117f4</Content> </IndicatorItem> <IndicatorItem id="5804edfb-9cff-4f6b-8fb8-958e93e51075" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c6a29993234488fcbdcf45668eac9c47</Content> </IndicatorItem> <IndicatorItem id="91aa6ab0-4665-4079-991d-8752ee107e2a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a6a583aeaf4952787e15f30d289ca138</Content> </IndicatorItem> <IndicatorItem id="ed289b6f-5ff7-4f8a-bfcf-314c6d622e9f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a38a367d6696ba90b2e778a5a4bf98fd</Content> </IndicatorItem> <IndicatorItem id="c438a0fc-bcf9-4ec2-984d-ef45da0754bd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c4188c3bb6982d41aa783c499113a8e3</Content> </IndicatorItem> <IndicatorItem id="f1782637-48a1-45b7-b8ee-6e4b18a16d9e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3122fbb558e1a5f32c90eba31f674add</Content> </IndicatorItem> <IndicatorItem id="4afe37a4-f505-4ccb-8c93-ec6b267493c1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">335df3ffb8cee61c20ab91a401204df4</Content> </IndicatorItem> <IndicatorItem id="8c062a7f-7bc9-4b73-96f2-3bcb99d7e887" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a2534e9b7e4146368ea3245381830eb0</Content> </IndicatorItem> <IndicatorItem id="bc69c00c-3fca-4dc0-9b9e-c4346a190869" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cfe738fcc07b9ece6a11c3390d43b5df</Content> </IndicatorItem> <IndicatorItem id="a4506c4a-d5f1-4ba9-b4e7-1d6a1bc07ef8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8a86df3d382bfd1e4c4165f4cacfdff8</Content> </IndicatorItem> <IndicatorItem id="075e4622-1bd9-41ec-8311-c7b53e3fa0cb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2f930d92dc5ebc9d53ad2a2b451ebf65</Content> </IndicatorItem> <IndicatorItem id="509b8871-ae2f-4272-b53b-b15ef75ccc69" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b305b543da332a2fcf6e1ce55ed2ea79</Content> </IndicatorItem> <IndicatorItem id="fd65f08c-427d-47de-9de5-7a3b95a03cef" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5bd5a22d42c04db7ac1343a2a9f471fe</Content> </IndicatorItem> <IndicatorItem id="585179e6-9df5-4056-a530-d0b61828be5c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ba6fee7d4e73752b39a09b1396b69f0</Content> </IndicatorItem> <IndicatorItem id="e8473edc-4f1b-4595-bfe6-36baa5f384e7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2bdc196cdac4478ae325c94bab433732</Content> </IndicatorItem> <IndicatorItem id="1eccf7a7-5f43-43c6-a044-7a2081956cba" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dc1cff84900afc9d292b305f9b9aae34</Content> </IndicatorItem> <IndicatorItem id="ae9ca65d-c110-4faf-9838-e4459267bd6d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c3dbd79adfa21706f5451cc68331d31e</Content> </IndicatorItem> <IndicatorItem id="f05bd155-ab39-4426-801f-292b8846537f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2a84b88c4a2ce0fb6227f7990f465737</Content> </IndicatorItem> <IndicatorItem id="e19d5499-b305-443f-8d78-48ea3a94e2be" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">37cf3f25895c27ca5e647bbfdc1d5b2d</Content> </IndicatorItem> <IndicatorItem id="192897db-af6b-457b-8ee6-6623e1d67c04" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4f65bc571cdd9c9cd11e771e1db35a4c</Content> </IndicatorItem> <IndicatorItem id="32d59174-8af2-47d0-ad8c-e70b2e0fe98f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">36cd49ad631e99125a3bb2786e405cea</Content> </IndicatorItem> <IndicatorItem id="2b40d825-a824-4c10-be36-79a78aa565ae" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">49bacedcd18f6d8929d43a10dae8645f</Content> </IndicatorItem> <IndicatorItem id="93cabc49-f7ec-49df-a76b-ffa513e60f11" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fefa3638e4d6f2e00b5194ae3fa0c931</Content> </IndicatorItem> <IndicatorItem id="9604e409-31d1-415a-9de8-28ae43b742a6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">df4da15796910690b05e393561b86fa1</Content> </IndicatorItem> <IndicatorItem id="8847fb0b-9aba-4566-98b5-ecd0ddac90b2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cca290cd2abe96392378b71e9835ce06</Content> </IndicatorItem> <IndicatorItem id="fbca176e-559e-4f3c-aff4-d0ca1f86fc84" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">97c83d85bd76a38b13cea960a1a97f70</Content> </IndicatorItem> <IndicatorItem id="40e1893f-d2c4-48be-b82e-86a639cd118b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f6655e39465c2ff5b016980d918ea028</Content> </IndicatorItem> <IndicatorItem id="4a4ef845-eb78-40b2-ba62-085dd7aa2ba7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8dc3561ca52bfe40089f3ee0af7fdd9d</Content> </IndicatorItem> <IndicatorItem id="ea804d1c-bea8-4cd0-bf18-21803cdc3bea" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">73d125f84503bd87f8142cf2ba8ab05e</Content> </IndicatorItem> <IndicatorItem id="aa1efaca-16e9-4e11-ac3b-7a76485428e6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">251c817f4144264c3e7a9dac03071daf</Content> </IndicatorItem> <IndicatorItem id="4309d7f0-d428-40bf-9ccc-f57bd5ec5c15" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">34ca3fbcaac48498aeff6035b172bf69</Content> </IndicatorItem> <IndicatorItem id="c13a3970-9d13-4076-8051-3c95bc6d4654" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a44312eb63de002383a57b5a93271cdc</Content> </IndicatorItem> <IndicatorItem id="927e6047-70dc-4555-95a8-6bf87d180699" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">24f1b8266f4faf550999581bf0edac83</Content> </IndicatorItem> <IndicatorItem id="5cb7cf7a-6525-4527-98bd-c23d406e8344" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2bd02b41817d227058522cca40acd390</Content> </IndicatorItem> <IndicatorItem id="ad2d7118-d7b6-43ab-87f5-e4e5da4998f2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4ab62c8e525bee410cd4b6cfeea7d221</Content> </IndicatorItem> <IndicatorItem id="316de897-a537-40a5-92d6-c8d39d01e369" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d9b1c95fb4424cf69a0ac8e40b3ab39b</Content> </IndicatorItem> <IndicatorItem id="00954932-3781-4dde-8b56-49b07c138769" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">40831b3799c94b609a91d517d14bea21</Content> </IndicatorItem> <IndicatorItem id="a0fb19d9-ae52-497b-a458-6b813ef0e61c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">37eee514b04167f8e17e2caa3bfd3049</Content> </IndicatorItem> <IndicatorItem id="84fd5ae0-8950-49d6-9146-0084dcb325b3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ef29229f7b633f634db3a5c49a3f4a1c</Content> </IndicatorItem> <IndicatorItem id="0f9d600b-a0fb-4365-85e9-cde0ff7a8764" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a354e3c566645100e757f3e43c9b007d</Content> </IndicatorItem> <IndicatorItem id="f3829e1c-ecec-4417-8d7f-ca2ee9e2340c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6f6abd53e10567d1534514fc36fca2e9</Content> </IndicatorItem> <IndicatorItem id="d4c4f19d-f4cf-42f5-b992-afcf265abead" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">de016572ade175d37cfbfabe8174391a</Content> </IndicatorItem> <IndicatorItem id="96156a9a-30f4-4c37-801f-0eeab2b36a1b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">82b065518f085c6ceb0a9135ab51df41</Content> </IndicatorItem> <IndicatorItem id="ecc8b9aa-f0d4-4c20-93b5-b187027bea87" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ca9c1f8d709ed34d388dc7cba2bd7602</Content> </IndicatorItem> <IndicatorItem id="6118837d-342e-4e35-b33d-659cf490bf21" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5613e6d7111b327307c02bec1701ac3f</Content> </IndicatorItem> <IndicatorItem id="480c1386-9e4c-46aa-9f1e-a085471ce68f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dd1222f96024ac28179c7508e4193285</Content> </IndicatorItem> <IndicatorItem id="e715daf3-6105-4523-9482-c1a8c5e0f3ef" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f1e5d9bf7705b4dc5be0b8a90b73a863</Content> </IndicatorItem> <IndicatorItem id="f5bf8270-d823-4b2c-a4cb-3db5bbc86e60" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">75f37a69664362462ad491741a34f195</Content> </IndicatorItem> <IndicatorItem id="63198f99-b40b-4b0a-a081-74bdb013b900" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">575836ebb1b8849f04e994e9160370e4</Content> </IndicatorItem> <IndicatorItem id="1565b3aa-e4bc-413f-a6fd-124549f717de" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">efc2025431e7ec8f8784fe81389c77cf</Content> </IndicatorItem> <IndicatorItem id="fd10f311-93b1-458c-8dab-c87fe3459604" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">165ef79e7caa806f13f82cc2bbf3dedd</Content> </IndicatorItem> <IndicatorItem id="607c5240-a2f0-47cb-bbf6-41d7645d5a08" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1486f48948db4f9afaebd69c7c52f899</Content> </IndicatorItem> <IndicatorItem id="0b4afa3d-b0d7-4048-a2fd-cfff23620215" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6c65c697bcff935484a5cd2e7dd2e7d2</Content> </IndicatorItem> <IndicatorItem id="79394e6b-e5a9-4781-9564-ac02885bdac4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2a4604fcae876dee445de5ad74fd7835</Content> </IndicatorItem> <IndicatorItem id="9c903320-a055-42e2-87f2-5d9bed5e7c88" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">656baf38fa5ee776e2576cead664d004</Content> </IndicatorItem> <IndicatorItem id="2094bbd3-ad99-43ce-bf7c-889c2a8c2418" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea8b6c2c083d6b7b2b6ebc015b0488ca</Content> </IndicatorItem> <IndicatorItem id="fa65ea27-a51c-48b3-8443-adf11911b9e5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">98d257a13d176940910d6441a854d7a4</Content> </IndicatorItem> <IndicatorItem id="4472c6c0-67a5-4ec3-8b92-32b3a5feb2ba" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">58b020fd3bc0d34e8c4eaf0a3f3135af</Content> </IndicatorItem> <IndicatorItem id="b0da821a-5158-4932-9d17-6b9a2741ea42" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ba56035e10b423734e0ce01bb7bb8b6d</Content> </IndicatorItem> <IndicatorItem id="09c12648-0ba6-457f-906c-50c06c8ccc2f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">23059de2797774bbdd9b21f979aaec51</Content> </IndicatorItem> <IndicatorItem id="b5b1888f-0a8f-465e-b4c7-584ae6abd91e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ecf900c9d743631b59442240ac4ce9da</Content> </IndicatorItem> <IndicatorItem id="4a69f184-ffc1-4954-9088-c65885210f12" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4192479b055b2b21cb7e6c803b765d34</Content> </IndicatorItem> <IndicatorItem id="3cb5b75d-fef6-4f87-b54a-6211681e6a17" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5a3abb8053c271c58e879b3b9cf8c8f5</Content> </IndicatorItem> <IndicatorItem id="ceb77e2b-3bbc-4df9-80a2-0af64730db50" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">37ddd3d72ead03c7518f5d47650c8572</Content> </IndicatorItem> <IndicatorItem id="6905fe9f-e540-4163-8949-c93766ab7fa1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a510d0c9b7930abaa7aa6b0ac294e675</Content> </IndicatorItem> <IndicatorItem id="439bc68a-8b73-4144-a278-6394ae2cd3ec" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0115338e11f85d7a2226933712acaae8</Content> </IndicatorItem> <IndicatorItem id="64ced20c-d90a-4cf7-b56b-22f9cee399b1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">62ea10608f0d54cd284e8d7be32f206e</Content> </IndicatorItem> <IndicatorItem id="a5bd1885-c9e3-485e-97ff-8bad5ac2a019" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c799e1d25839e1efb2b3d42d6d6efd26</Content> </IndicatorItem> <IndicatorItem id="e0d96356-a782-4a50-b27f-885aef4dc2cb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">be74bf5afd4ba64cc8ce237307e9254d</Content> </IndicatorItem> <IndicatorItem id="e478b685-9cd4-4c72-810d-6c5083baaf1e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3abe9c84fc13d0a82c1c3e0dced5825d</Content> </IndicatorItem> <IndicatorItem id="ba448443-530d-43e5-bddc-22b67729b558" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f07ac0b4301fccbae233a44e07a2a634</Content> </IndicatorItem> <IndicatorItem id="7bd52e8a-4fba-440b-a37a-966154ea923c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c425b8782075da33cba5aae5ad612582</Content> </IndicatorItem> <IndicatorItem id="68818743-99a5-4a86-9169-0203287e95cd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f67357d9fa1c3014050f2feefd39c784</Content> </IndicatorItem> <IndicatorItem id="3073f4f3-afc7-44ec-9db4-c3f01d8f2d7b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c2e06531a2e6de3c1b7d18b14af53fdf</Content> </IndicatorItem> <IndicatorItem id="bfb57e09-9afc-41d2-9220-9b5929713be7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4cd3bed14aaffcf61f4d2948484c4c90</Content> </IndicatorItem> <IndicatorItem id="6f828f74-3e9a-482f-9793-c63022c5767f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">50361f8793258b6e883b31269e053ed2</Content> </IndicatorItem> <IndicatorItem id="90fe8a13-a795-496e-9f8b-eb1bb8700b2c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7d25a80fe2c42368adaea5fcbab866b6</Content> </IndicatorItem> <IndicatorItem id="400a5360-8a95-46dc-8ee6-6fe7adb660e9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d263fed2e1c18f2cb439afcef0cd1b45</Content> </IndicatorItem> <IndicatorItem id="bc4dfd12-d672-4fab-9132-b55a3c6d4ac5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b74022a7b9b63fdc541ae0848b28a962</Content> </IndicatorItem> <IndicatorItem id="a1c9a5b8-5ed1-4b09-833a-11374857a2b6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">62d60a1cd1e7ba73aebc98812e5ac266</Content> </IndicatorItem> <IndicatorItem id="e6366973-065a-4b16-96c3-65fe63516c92" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">86b68ad2e9c33eadf134285ea142ccc2</Content> </IndicatorItem> <IndicatorItem id="df9e93cf-78a2-4237-97fb-d0059f7e67d0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ad7bdadde9a4da73ffc776c606dbb75e</Content> </IndicatorItem> <IndicatorItem id="6bc4d8fc-f0b6-450e-8c02-3303a2651d05" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f81991fab3b7d58d66629e26d21176ed</Content> </IndicatorItem> <IndicatorItem id="5c6db611-de7f-4071-93a2-d595d3c76007" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8cb321a7871706fb6246489cb7c4da03</Content> </IndicatorItem> <IndicatorItem id="5448f210-c950-4dfe-8e78-ac71cd039027" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5e686bd284022e35559a9c6118df8f1e</Content> </IndicatorItem> <IndicatorItem id="6f7a2020-2697-40d9-b21e-cc3fef4aa00c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">46acae84a04e41730d0502d9080bbb4a</Content> </IndicatorItem> <IndicatorItem id="26fd253a-1ad5-4d8b-a82f-2b216f57ff69" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">874bb818208655b59a8c4c1ae2aef379</Content> </IndicatorItem> <IndicatorItem id="bb8b77e4-6f6a-4a65-8b00-dff78daae9c8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">328c3ebb2fd2e170483e8d51ccc6c505</Content> </IndicatorItem> <IndicatorItem id="7e8b335f-0b64-47ba-88d8-ea1dce36434b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dffd04ea26c03d3f6c67e10405abc5ad</Content> </IndicatorItem> <IndicatorItem id="6d795759-4f91-481e-b703-916562a66e38" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">201fb83679a1fe05007fc6b8d6d96680</Content> </IndicatorItem> <IndicatorItem id="e3781e40-e361-4242-9103-6041cd237b74" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">eca18e3872fd32f17410167871fbd1d2</Content> </IndicatorItem> <IndicatorItem id="5a539f71-bae5-431f-b1d2-257d6e336a73" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ecf18654e4a2668fb8b2e3db144809af</Content> </IndicatorItem> <IndicatorItem id="2e1db2cb-cd4e-449d-a781-b64099ddc80f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6767eeb485232436de9553988765fb89</Content> </IndicatorItem> <IndicatorItem id="98b7cc6e-a2b9-45ac-b649-fb727f776d4e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8845cb5b4e450cb10a3b6ca41a9b4319</Content> </IndicatorItem> <IndicatorItem id="64704b56-5cbe-460d-b1c7-cfd5a563c7be" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">523f56515221161579ee6090c962e5b1</Content> </IndicatorItem> <IndicatorItem id="059c4f3a-8904-4098-8e80-53498e22d5db" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0dd3677594632ce270bcf8af94819caf</Content> </IndicatorItem> <IndicatorItem id="d86bf4e1-7aa8-40c4-a3e0-9dabb7d11499" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e6c25f9994b723d39c785ddfd38a31b8</Content> </IndicatorItem> <IndicatorItem id="9815b953-8d3a-467f-a6c7-a9ae09a2a854" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">db5805604f84b7303fa04feb18ce8271</Content> </IndicatorItem> <IndicatorItem id="f7af9381-5d0a-4016-ac9c-cfb0202fead9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">32c32e936cffa8ab370c7f3f2dd43d65</Content> </IndicatorItem> <IndicatorItem id="504afe0f-f5ce-4fa5-a455-8f606460d146" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">91dc97c4b66e3282e1aa831e0bb0bb14</Content> </IndicatorItem> <IndicatorItem id="ee9a4b38-02f8-4d6b-829e-0f4847cb1bc1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9a58cc73e103fd5a14ef3564e35c03df</Content> </IndicatorItem> <IndicatorItem id="fbddb631-4962-45ca-a475-e89b9bd23035" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">13835f0d5aafbeda50560afc92c8b7b7</Content> </IndicatorItem> <IndicatorItem id="5d516439-8d06-4276-bcc7-979cedd88ad3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">40b1e9cf468f499d749c0863cfa6c8c1</Content> </IndicatorItem> <IndicatorItem id="76070a38-8e25-416a-a923-48bf21bf78cc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0ccfaeb11defb100b5ddb40057e8fce4</Content> </IndicatorItem> <IndicatorItem id="b86c6d5d-7d65-4465-b7b2-7e14dee9ceac" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bc7092008ca37adf497b75eb98e2e175</Content> </IndicatorItem> <IndicatorItem id="26e65acb-3669-4e4b-8c7f-3199503b4782" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f9a46d5024c05a827912a89ca270c553</Content> </IndicatorItem> <IndicatorItem id="d7d17a34-79a7-4fb8-83ee-cc644f714d73" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">52bd3ceef33900d53315f89538128026</Content> </IndicatorItem> <IndicatorItem id="f325e850-af17-48b8-9d63-93d566b4921d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a4ad7335aa391519cc5fc9140f2562f2</Content> </IndicatorItem> <IndicatorItem id="e721a677-95eb-4108-8234-4c6759828160" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a1b924b8c8fa157ae8775fd86f692053</Content> </IndicatorItem> <IndicatorItem id="33617a49-d597-413b-bc42-bc2f236b8151" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f1ad5daacace5d4a7b18a03132ec2716</Content> </IndicatorItem> <IndicatorItem id="6d5607d4-78ec-4f19-b409-e9bf720c59f7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3b320b90e024bfa48bda72aa7a82322c</Content> </IndicatorItem> <IndicatorItem id="2eae3162-26d1-4d5d-8996-5d0a72622bd7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7852b941a46e37fe9b332b1be77a6960</Content> </IndicatorItem> <IndicatorItem id="4f79f0bc-4158-4655-86a5-f1124fc98ec3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">465b085d3ddd22f63d8f7721ce5736d7</Content> </IndicatorItem> <IndicatorItem id="f2734f96-48de-467b-a208-afe9a7ce5627" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ef6c375e3e6930e2b50e1e97fe6fbcc9</Content> </IndicatorItem> <IndicatorItem id="08c29e42-37b4-4ccf-8a30-42de9cf10c99" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2c9c691e15a48b20dbead0a6d6bf0300</Content> </IndicatorItem> <IndicatorItem id="40975d2a-84d4-45e5-88cb-4edbcc603dd2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7deed54a40efc12ea03e3f1859522862</Content> </IndicatorItem> <IndicatorItem id="8489fa8e-7307-49d1-8c9e-b18f80ed1293" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">78524ba7f66c0ec4a3755e51709db1aa</Content> </IndicatorItem> <IndicatorItem id="69b8a457-a26b-461c-ab0b-96804c2f1225" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9fc3ed6c9b8056fbf155f79569ca7cb1</Content> </IndicatorItem> <IndicatorItem id="30b15d42-1341-4e09-b316-40a04761c43d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d8315c114107b7418c32f85e263766b7</Content> </IndicatorItem> <IndicatorItem id="c774aebb-f8e6-44df-ae9c-f880a569b26f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cf038194f0fe222f31ec24cb80941bb1</Content> </IndicatorItem> <IndicatorItem id="830ba94d-c674-4e12-8081-407fc389addf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d2f1be7e10ed39aa8bc0f7f671d824d2</Content> </IndicatorItem> <IndicatorItem id="6333732c-4657-4958-835c-36daca9af6ed" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9400fb97c145587b17fb456fac636771</Content> </IndicatorItem> <IndicatorItem id="b07056d6-e131-434c-9af3-74368fc71510" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">81602ce95a4b7f3d3cd1953a2456cd92</Content> </IndicatorItem> <IndicatorItem id="e2677e17-1963-4179-b898-1de300cf27cf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fbde5068f85ce0aac2e9ff387b5f8c06</Content> </IndicatorItem> <IndicatorItem id="76af7981-e44c-4490-a615-260ab230a49e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">815a89041dea3e56348f8f5c8b7d1457</Content> </IndicatorItem> <IndicatorItem id="c473ff23-c8cb-42c3-9a8a-a940fcf4b5c1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0496e3b17cf40c45f495188a368c203a</Content> </IndicatorItem> <IndicatorItem id="9c1f6d11-e8cf-4b4f-b606-a564cd97f6d8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b8277cce81e0a372bc35d33a0c9483c2</Content> </IndicatorItem> <IndicatorItem id="e3ac4faf-98bd-4dba-8b93-f50e5d3b1172" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2c49f47c98203b110799ab622265f4ef</Content> </IndicatorItem> <IndicatorItem id="755d1883-a0c5-44d4-ab7c-39e2ec3fd652" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f2009007bd6718582ad62ad29b742f6b</Content> </IndicatorItem> <IndicatorItem id="f855af0a-b1ad-46e0-bc0e-277487a85b10" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">565b6fedccab184c92e40483ea49a25f</Content> </IndicatorItem> <IndicatorItem id="6d1a3f22-3ac3-4aa0-b79e-7def175feb45" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6d2320af561b2315c1241e3efd86067f</Content> </IndicatorItem> <IndicatorItem id="2cb3e45d-cd9f-47a0-8835-56a44d25772e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">86dd715a8d28788e68a575207d66df34</Content> </IndicatorItem> <IndicatorItem id="c30bad26-dbc2-4973-90ca-0cca523d8d1f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a99e06e2f90db4e506ef1347a8774dd5</Content> </IndicatorItem> <IndicatorItem id="c6c6738d-7fbe-493e-92d4-7e5b109e7f1c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">592a33f691daa01ccbfc8078ad961b43</Content> </IndicatorItem> <IndicatorItem id="c6aff098-b912-455f-b82e-94a86ebe03d9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3d328395d0cefc67e2909774125196b1</Content> </IndicatorItem> <IndicatorItem id="a44c88fc-776f-456a-857d-e2743c0c1fea" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c3af09a9fc487314eb4c9fe92a01845a</Content> </IndicatorItem> <IndicatorItem id="89f1b209-555b-4d70-a20a-2175c9a37675" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">94a59ce0fadf84f6efa10fe7d5ee3a03</Content> </IndicatorItem> <IndicatorItem id="70707d0d-ccb6-43d8-97fd-35213053ad58" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">438401c9ae36e9ed1bf4f410ae116484</Content> </IndicatorItem> <IndicatorItem id="c347c361-b4e8-481c-8b60-cbc68f653995" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6f551594fdf3539c62389c0cf0d2e16a</Content> </IndicatorItem> <IndicatorItem id="f55a68e0-97af-4121-85ee-8b23feb6f29a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ef0a6c79f99a537f932a5e64999972b3</Content> </IndicatorItem> <IndicatorItem id="a3c79f50-830f-4dc8-9a16-eef39da3de28" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">001dd76872d80801692ff942308c64e6</Content> </IndicatorItem> <IndicatorItem id="f8d46e9a-c9d4-4670-8ef4-783ef90a1a7c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">16e53c619803d0068611bb6d448d1d49</Content> </IndicatorItem> <IndicatorItem id="c4e9f524-7b23-4fb5-811c-ff5509b39cef" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">68d2fd5049e70942d164e4e25d13dd8e</Content> </IndicatorItem> <IndicatorItem id="6e42dc99-1133-4272-86a1-15df3f321894" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">63db2f4fd717723f0e6f94e0a6a62c7b</Content> </IndicatorItem> <IndicatorItem id="5b78b277-0803-4c51-98fc-ae8be7137ad0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">33e9ccd45ef133b2c100d5a4f50635d5</Content> </IndicatorItem> <IndicatorItem id="a3e02563-7734-4a6f-a862-44da86216a5d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cd4674e2b7be30121a46a053205472a8</Content> </IndicatorItem> <IndicatorItem id="d871da09-7aa9-45e2-82e0-337091965a78" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">abcaf816de63c632ec23d6bda3f02bb5</Content> </IndicatorItem> <IndicatorItem id="f5e529a5-1060-462d-a9a9-5b0557dfb725" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9dab4da07ed669b44f409eb60f3b0e50</Content> </IndicatorItem> <IndicatorItem id="fbc61ac5-4068-4991-944f-e67d2cddb450" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2b659d71ae168e774faaf38db30f4a84</Content> </IndicatorItem> <IndicatorItem id="f3686bbb-05ad-4b39-a841-954e68bdee52" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b1ee00cec6c2318fa86f320dd7fc99a8</Content> </IndicatorItem> <IndicatorItem id="6f1d0d6d-c088-44c0-98c4-7d55d0d3f26f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">66c287675cd4c7172590f71181e723a8</Content> </IndicatorItem> <IndicatorItem id="f9e82296-0e4e-41be-8521-0a00db0673d0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">25f240aed433c4ea52ccdb898e43756f</Content> </IndicatorItem> <IndicatorItem id="470dfadb-8598-4cd3-9590-79f90990d336" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1e5ec6c06e4f6bb958dcbb9fc636009d</Content> </IndicatorItem> <IndicatorItem id="cb47ec14-afd2-4279-bdb4-1d50313417e2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">523cf1c9741f5f9d11388a58de6a83a4</Content> </IndicatorItem> <IndicatorItem id="049d6404-9e41-40e2-ac1a-cee70614ba11" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ab00b38179851c8aa3f9bc80ed7baa23</Content> </IndicatorItem> <IndicatorItem id="f17913a8-dd0f-45c6-9d35-46aa12027e52" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f02abd537e481109142b6170933d1b3d</Content> </IndicatorItem> <IndicatorItem id="7ae0904e-0c1b-4edd-abe2-4530f1f9805f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6ab7fa8e5fb63b8d0723387d0a1ffe6d</Content> </IndicatorItem> <IndicatorItem id="41cbafda-9421-4906-981d-755ab6e2dbd6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">53600687ec97c297f03b4f0f4710d0c5</Content> </IndicatorItem> <IndicatorItem id="dcc93edb-8b87-4aa6-b575-ecf5b6a6bca8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3364813bcbd111fc5ec1e4265c533506</Content> </IndicatorItem> <IndicatorItem id="3bba770a-9c1c-4549-b365-7f87e6a085b4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6ca59c9c4165796e08ba6ca3eeffdee6</Content> </IndicatorItem> <IndicatorItem id="493a31bb-eeff-42f6-b431-092d4b671c73" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d6a01b61f490488d61dfb9376186d844</Content> </IndicatorItem> <IndicatorItem id="474a5de6-98dd-4d75-855a-644a00f3e503" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">eef298d0bc5b8c89f582e48556d77b6a</Content> </IndicatorItem> <IndicatorItem id="b66e553d-40f6-41e0-8650-d369b1b5f1fa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a7f17c75519fb8a39d37c47617202b05</Content> </IndicatorItem> <IndicatorItem id="f1b414e8-33a0-4b0b-a277-3dfe614507da" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8c57b287a1d2140ccedd6cd097d62ded</Content> </IndicatorItem> <IndicatorItem id="ef237e9b-e7e6-4247-a161-6c022117ec38" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">87efe3671ef8f1eca57f2d8f7e4711d9</Content> </IndicatorItem> <IndicatorItem id="c2bb85ee-a51e-4f66-8f99-cef724ce674a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b47e5d095be9fd61016817359f6c2887</Content> </IndicatorItem> <IndicatorItem id="7cdeed2e-3ac5-4c2b-a9bc-1a4844bc0e33" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">81ce61ed2dc567ce70589386563890ca</Content> </IndicatorItem> <IndicatorItem id="c9aaa5c9-f78e-4c89-9ffc-92e5505e681f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e0c4cbf3ed293e8a8df3f3987b42caac</Content> </IndicatorItem> <IndicatorItem id="329c1481-806a-4d9a-808d-e9af0c8cae88" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3cda17269c246a2e3bfcda6fa02fceb8</Content> </IndicatorItem> <IndicatorItem id="b4e1239a-763e-452c-bf85-dccfe33808c8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1c7538951b21d93ef7ecf3fa94ae5c5e</Content> </IndicatorItem> <IndicatorItem id="83e63fa0-c005-4a03-a0de-1078f44a7c1f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">082cc969b3eb6786e3e951b450b8de0d</Content> </IndicatorItem> <IndicatorItem id="b146b5e8-c04f-4123-bc7b-edf4cb9eabe6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">75372eb37415140fa5464f1ebb8a0e74</Content> </IndicatorItem> <IndicatorItem id="4c3c445c-15f5-45a4-b217-f22704f4ed8a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1e48f6ba839d2c4794e23c10e5c4c138</Content> </IndicatorItem> <IndicatorItem id="9c4ed6da-dfa1-4175-9cc6-66d8b6afbcfa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">494637c4ac6d04bb50a681e87b81043f</Content> </IndicatorItem> <IndicatorItem id="b7357a94-7643-409a-835a-fc62b2f48ace" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6510cee34da30c7ef5e5e39980402257</Content> </IndicatorItem> <IndicatorItem id="8d9733d2-42ba-4e05-888b-14207129b441" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f9ed623f13481da16a97aeacdca646dc</Content> </IndicatorItem> <IndicatorItem id="8523db29-989c-467c-9381-687812c2f1c3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bee9b7835a02973678e9ead683da1ac4</Content> </IndicatorItem> <IndicatorItem id="a2bd125b-601b-4d22-8b3b-d1683a08038b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">30e78d186b27d2023a2a7319bb679c3f</Content> </IndicatorItem> <IndicatorItem id="678bd135-d0cf-4e03-aaa0-e99df146301d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6c5c5e4049265fffc87973f3e4978b26</Content> </IndicatorItem> <IndicatorItem id="91a03df2-d857-4ad2-97ad-3da1f760e57b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4cabfaef26fd8e5aec01d0c4b90a32f3</Content> </IndicatorItem> <IndicatorItem id="1339f61d-cefb-439a-8ef3-0023d642ee35" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">83b3711c32d28a87b173e7e5aba5f826</Content> </IndicatorItem> <IndicatorItem id="4fc2a0a8-6643-430e-a732-400596bf484b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b1ff1ef983a1aee3a395788ec441d006</Content> </IndicatorItem> <IndicatorItem id="2cb48a12-7126-426e-ba71-939082a4513d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">74b3ee9f3f6c52413db6e5c9ace34893</Content> </IndicatorItem> <IndicatorItem id="6c92db0d-d72b-4efa-999a-9b21ca39a30a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">277964807a66aeeb6bd81dbfcaa3e4e6</Content> </IndicatorItem> <IndicatorItem id="900ac2e8-159b-4ff2-875a-6413b7e39033" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">50f35b7c86aede891a72fcb85f06b0b7</Content> </IndicatorItem> <IndicatorItem id="aa0b5b1e-79b3-4b33-b2a5-440e4fb1d84a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2b379d5346ffd386c28038630a9b0292</Content> </IndicatorItem> <IndicatorItem id="cf6c29ee-7466-4c54-9dfd-5d9242a67584" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">feb406ff01d9fd5abc5ea079e0543e31</Content> </IndicatorItem> <IndicatorItem id="b09fe8fc-790f-4e45-9a0c-dcaf88df1380" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f4bea18e9d38ab9fa7c1cf6eea2bdc79</Content> </IndicatorItem> <IndicatorItem id="cfcc75f6-0fcf-4046-ae45-7e2963e8c2fe" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4aadab80ce16c588b8719f15e84aba82</Content> </IndicatorItem> <IndicatorItem id="4646ce95-63f7-4e9c-ac28-8178ca526e7d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">18316e6ebb356a66c8ff51e73c1bcc8a</Content> </IndicatorItem> <IndicatorItem id="5809d567-79d0-40e4-8dfe-0474a3e0af58" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5537bdce991797198a9ff97ff1492f90</Content> </IndicatorItem> <IndicatorItem id="14557f7d-bedc-4722-8798-5ca8d88ae46c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6c9c9e40683467f60b910d5bad5285ae</Content> </IndicatorItem> <IndicatorItem id="97929c8b-7dab-4004-a1de-0d6d49e2aca5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0469a42d71b4a55118b9579c8c772bb6</Content> </IndicatorItem> <IndicatorItem id="ea0db72c-9809-487d-a72b-cbdad623497a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6a88f170ab6cb0f9b3252adc61b4f487</Content> </IndicatorItem> <IndicatorItem id="232a1e95-18af-4ed1-afcf-53c8e51a31e2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7e56369d466dd3d85a9b31f65ee8e551</Content> </IndicatorItem> <IndicatorItem id="a0af6b2b-7b7a-41e3-a532-106a6bbe8068" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c21591aa72ac72872f5bd05bbca5e4da</Content> </IndicatorItem> <IndicatorItem id="4ecee824-7a09-4905-8a03-d1d77e31ef98" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">120c2e085992ff59a21ba401ec29fec9</Content> </IndicatorItem> <IndicatorItem id="b7df8f63-0e68-4545-9608-49db64dc842a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fd37fa026747059559197461aa7c63e6</Content> </IndicatorItem> <IndicatorItem id="865dc2e5-3c94-4862-a9b7-3c44fc0fb16e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ffcc7271e951055f12b61f520ce1e4c7</Content> </IndicatorItem> <IndicatorItem id="e7ff6c13-a488-4c9a-8110-97fa63b1bd1e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0ec0fcd649f3d5aa2e19f110c0089164</Content> </IndicatorItem> <IndicatorItem id="a0be44a8-8140-4f5b-a0aa-d165bd5b6c15" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6b4ac249f918be9f7bc64ae7fdda947e</Content> </IndicatorItem> <IndicatorItem id="8e424f3a-0c4b-4650-b157-a6656050a401" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">772c771e13e599cbf25bf9e0199681f7</Content> </IndicatorItem> <IndicatorItem id="a48c9093-ab8e-4001-a381-013299bbefc1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7b451bbbdc840378b785bed6b9e30e0f</Content> </IndicatorItem> <IndicatorItem id="ca714746-cd7b-4d9d-9698-913df4ebc11d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6db47757ba324bb61ce3cbcabbec52d4</Content> </IndicatorItem> <IndicatorItem id="17565c08-0d52-45da-86d6-4d2b784e00e4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a6b99080565aa7933d946b8b9d9d7476</Content> </IndicatorItem> <IndicatorItem id="851ea564-2c94-4620-b15c-3f9d76f02a74" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">70bb674fc97d7bf4d8dbbe3636f65c4a</Content> </IndicatorItem> <IndicatorItem id="9017943d-196c-4858-923d-dffcebd77bf6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">eb50c166074ae4f13cfea362dc7b668a</Content> </IndicatorItem> <IndicatorItem id="feaf6521-3217-48f9-b2e3-8a3e465fe764" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d76ea982d614c66c5faa36ab5fdd8b41</Content> </IndicatorItem> <IndicatorItem id="b1ebe4ef-4f07-4e17-a1eb-5d371baec782" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5dea347d29a3e9c21c52385a10224b65</Content> </IndicatorItem> <IndicatorItem id="75d8211b-d323-4b7b-a6a9-b37eb6dcf9e5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a1b8aa19c92c257cbace54337f6672d3</Content> </IndicatorItem> <IndicatorItem id="c5772131-a3ab-4680-9fd1-784c452e045c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7e64b28b0050d23970478c81e8037470</Content> </IndicatorItem> <IndicatorItem id="c97e7b64-7ab6-46e8-bae1-9740ebd2624d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2d08595e73de31a36c1187fcaac73bf0</Content> </IndicatorItem> <IndicatorItem id="71e7258d-3bd9-4e8e-8be8-1a98765f0223" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d915f1c6792eed61dddb30e512e6c202</Content> </IndicatorItem> <IndicatorItem id="a708371e-4f3e-4e91-bb1d-35d0ce21b866" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e50af782414228e52e59bcbe518b1966</Content> </IndicatorItem> <IndicatorItem id="af49aaa4-20e0-4d53-8c5b-ef0ef0e2faad" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e06145fccac413d8c753bc822619945c</Content> </IndicatorItem> <IndicatorItem id="106e85c9-31cf-4805-b69b-e32d9770acca" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9c36333385d351e59d6c4372d757479e</Content> </IndicatorItem> <IndicatorItem id="c97a502a-1674-4f08-8a5f-3b1f90ad8381" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0522e955aaee70b102e843f14c13a92c</Content> </IndicatorItem> <IndicatorItem id="bb7b444f-3c8f-4f6e-9551-315d3dc75a9c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1097ca5269dea866d5c9f2b0cc50af6d</Content> </IndicatorItem> <IndicatorItem id="d2554707-192f-4f1e-8f4a-caa41d2c9db5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">04a7b7dab5ff8ba1486df9dbe68c748c</Content> </IndicatorItem> <IndicatorItem id="1cd3f828-f29f-43c6-80b5-5564ac64e24e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">349f6cfb77bb360063c477e9b6ca24d6</Content> </IndicatorItem> <IndicatorItem id="e5ab65e1-6116-4dc4-8838-11d79b05317f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5ccb52a8e3c31dde2ddbc486a2215e85</Content> </IndicatorItem> <IndicatorItem id="2c4d7c13-218b-42a3-9883-7755bd88ced1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">633cb95904ab9dc0a3de4ddd443494e8</Content> </IndicatorItem> <IndicatorItem id="87b5674b-3f4a-4a1a-a583-c363caf0844a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d3f9d4bc51db1e602093e3003fc789d9</Content> </IndicatorItem> <IndicatorItem id="a6addc82-4546-40f4-9e2c-1838b8abe6d2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">56c8ff5c6832f1e31a59e0717c3ab79c</Content> </IndicatorItem> <IndicatorItem id="441d6825-81cb-46a2-b5fd-50733dea2336" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b661f78279ca0b2e0ae611013eb00f20</Content> </IndicatorItem> <IndicatorItem id="b76feb62-b32e-426e-9110-9f8759417ce3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9cb07b71dcd1ac9dfdbf9f4cdfd4f273</Content> </IndicatorItem> <IndicatorItem id="b8d2eb7c-f294-4040-8077-246b13d59a63" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5e1d81618eaf005b8e0cd63fbc9a4937</Content> </IndicatorItem> <IndicatorItem id="553117f8-bd7c-4aa0-914a-6377de0f3463" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d5e56f7da9d2a78e49d3d0685e9613ca</Content> </IndicatorItem> <IndicatorItem id="3c791684-0fc8-4bea-a715-10d8ae67cc19" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9371fcd92ef86ccf450af903bc74ec01</Content> </IndicatorItem> <IndicatorItem id="d05fa418-b565-44c7-ae55-b9cf7cf00cb7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">760339e927e391e289bd91bad4cd59c3</Content> </IndicatorItem> <IndicatorItem id="53db6475-a3ea-4afd-a3ee-c19b0b9d6a58" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ca899eda2c32e7d305272dd48bc8e1e1</Content> </IndicatorItem> <IndicatorItem id="f2f0494e-c4b3-4349-ba9b-b97727f7f79b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">389f43a8af199da8da6b7c75b2c69595</Content> </IndicatorItem> <IndicatorItem id="d6ef728a-e155-4323-9a74-6be5710fa548" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d8b7b276710127d233abcdb7313aac36</Content> </IndicatorItem> <IndicatorItem id="3ea0215a-6b3d-4a2f-b782-4a75ef23a07a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6a4fbcfb44717eae2145c761c1c99b6a</Content> </IndicatorItem> <IndicatorItem id="73319afd-e722-4ac4-a163-6d3d4c1bcf15" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">af719814507fdca4b96184f33b6b92ea</Content> </IndicatorItem> <IndicatorItem id="0c29ca36-997a-4d5b-9a10-5927b5359231" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">827040a5f5ae8de281a63899224b2f3a</Content> </IndicatorItem> <IndicatorItem id="82573a72-d55b-44af-abbb-bbf832d45fa6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">67504a0c2c2bf47efccdab5ca981ad7d</Content> </IndicatorItem> <IndicatorItem id="fb13b7ac-aab0-4fe5-8858-bccd055d9b90" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a4903f7c293993069f865468bd7cec78</Content> </IndicatorItem> <IndicatorItem id="196599a8-1153-431b-96f7-fe9ef358d268" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">46817cabd6618d2126067430a78f06a3</Content> </IndicatorItem> <IndicatorItem id="198e1c60-b090-47dc-a38f-bb7524d14397" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">605c1dc91a5c85024160ce78dfac842d</Content> </IndicatorItem> <IndicatorItem id="24f6b24b-9d09-4690-be1b-06459464dd60" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f3f2881a1cf3f81f1ecd952ccb616504</Content> </IndicatorItem> <IndicatorItem id="eae9116e-675d-4590-af90-435206d5e280" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0588ffa0a244a2c4431c5c4faac60b1f</Content> </IndicatorItem> <IndicatorItem id="6c1ffc0d-09dd-438c-917b-e7d2224a7238" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">da52e6701c9eba92459c6be28efdba74</Content> </IndicatorItem> <IndicatorItem id="c5a8b6e5-74c5-491a-81a9-3d08f61c8697" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3de60420845a582b0e44081b1138a7e4</Content> </IndicatorItem> <IndicatorItem id="d51048c3-30f6-490e-83f7-eb2df1e87a41" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fb671e6de6e301c892d2fdaa58f9cd9a</Content> </IndicatorItem> <IndicatorItem id="7e84c04a-6f3d-41d0-a130-5bed5cd04520" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c9f77569aa98f71cc42644d66d9f371c</Content> </IndicatorItem> <IndicatorItem id="2727239c-d01c-437c-a7e3-2940b1fafed4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">69dc1e1ee273e531e91c60eb86396cc8</Content> </IndicatorItem> <IndicatorItem id="c523c024-241d-4cc9-9b85-37c86be82a20" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">99882234b814b860a22b4d441b92fd82</Content> </IndicatorItem> <IndicatorItem id="ff7636d0-a8c6-42da-ab0e-39157ed18d0e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">024fd07dbdacc7da227bede3449c2b6a</Content> </IndicatorItem> <IndicatorItem id="b548d814-ad9c-4194-9972-b7d4bb357171" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">adb2fc194b960e694aa450161f1df6fc</Content> </IndicatorItem> <IndicatorItem id="ebca2297-71eb-41ae-9ed0-082400a4f867" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7127241c033c403b18bd281d0dfc4e31</Content> </IndicatorItem> <IndicatorItem id="82cf46bf-bfbd-4569-b211-fe00bafbad8c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7712d05c8b499fc7a1f4a6a6b6dee825</Content> </IndicatorItem> <IndicatorItem id="b05ac8bd-8653-4313-87ac-8cf0ecd1fd52" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8fc5fb519a222ab919f28d21545774c6</Content> </IndicatorItem> <IndicatorItem id="707b6b73-3139-429c-821d-134dfd260c96" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fa66312d7e2ed95814f30871cae61d7c</Content> </IndicatorItem> <IndicatorItem id="f1dd09ad-62f2-46b0-98fb-f9cafb77af1f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">61b4e2423dd21a145fc977ef55fe34c8</Content> </IndicatorItem> <IndicatorItem id="dbbc43f7-f85e-45e1-b9b9-581208823275" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e6ff80137734a4882c3709a235802d6e</Content> </IndicatorItem> <IndicatorItem id="559b6918-c898-4778-9215-3f21039fd44a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec63f49236858c85168da81c1ac7802a</Content> </IndicatorItem> <IndicatorItem id="3711a61a-bc46-4ad8-aafa-17f9318b5010" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d25be76b6d871a26eec08ad1bee0273d</Content> </IndicatorItem> <IndicatorItem id="2df54931-2584-47e8-81f4-82058940b2e5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e56e4b20ef6dc09d29be49481bd29561</Content> </IndicatorItem> <IndicatorItem id="905eacc6-46e0-4a70-947d-d7ca8e43e3e4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0545a524a6bb0b042f4b00da53fec948</Content> </IndicatorItem> <IndicatorItem id="639f8281-4437-48ed-9f4a-1c6f5e6eeff7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">651d83c1b85acb204abd5bf7990a1298</Content> </IndicatorItem> <IndicatorItem id="814200f0-af78-4719-a82f-341dfa71ee57" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6ebd05a02459d3b22a9d4a79b8626bf1</Content> </IndicatorItem> <IndicatorItem id="16c597e8-4b94-4edb-938f-0810e9ef2690" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">db50416d9e67f4982e89e0ffb0ade6f3</Content> </IndicatorItem> <IndicatorItem id="0740cb32-98d1-489c-9c55-fcb686453f8a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e64d657ce32118b415fa91dc05037c4c</Content> </IndicatorItem> <IndicatorItem id="cac202fa-8555-433d-8023-5f79fcfc03a4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bb286e9969ca197b461286b679c0886e</Content> </IndicatorItem> <IndicatorItem id="8c293eb7-075b-4104-bbc0-41a76cea08be" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">98bddd6c789a883afa1de3524bb8ea8e</Content> </IndicatorItem> <IndicatorItem id="b2282f60-b90a-44ee-91cb-59f0f0b962ec" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">11ccf3f93b00b01887e50283742cd1e6</Content> </IndicatorItem> <IndicatorItem id="053ecb99-8eb1-4e92-8fd0-1d8154375268" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ff2d1edbcaf04e8a02dc61fc225e2b91</Content> </IndicatorItem> <IndicatorItem id="807e98db-f7b4-418a-aed6-72dc19f05d76" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fad92f849e3bbfab211af339eb6a8d66</Content> </IndicatorItem> <IndicatorItem id="c8645b0c-d8bc-4ff6-80bd-71a2de3a0bb9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">55886d571c2a57984ea9659b57e1c63a</Content> </IndicatorItem> <IndicatorItem id="6d5c7154-48eb-4792-baf2-e6d91f6cf36d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec09d3b72b282872db4afb0cc9ba7d9d</Content> </IndicatorItem> <IndicatorItem id="bb66a3f5-f29d-4d55-b732-338fb1b701b5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">016da6ee744b16656a2ba3107c7a4a29</Content> </IndicatorItem> <IndicatorItem id="2672fb23-8070-4b6e-ba51-383087900160" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e5237615fde0977c0ea3626fba609ab8</Content> </IndicatorItem> <IndicatorItem id="76c4f060-bd17-4e8d-aae1-4d70dd565d78" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4a54d7878d4170c3d4e3c3606365c42c</Content> </IndicatorItem> <IndicatorItem id="bcbcaa06-a184-4c65-aa5f-74ab8be16212" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a7117612ea6b6fa3307943f5ed21fbb4</Content> </IndicatorItem> <IndicatorItem id="5d051b62-04bc-4b61-8670-425f975bf378" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">41a5d40ecc735172b18b61e01a30a178</Content> </IndicatorItem> <IndicatorItem id="7d5b5ff3-41be-4d24-9c3e-c7723c1ae807" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a639f598d4c0b9aa7a4691d05f27d977</Content> </IndicatorItem> <IndicatorItem id="036dffea-62da-41c1-bf3f-5367d5bf536a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">10a68e08c514d3b69296b0eb557d822c</Content> </IndicatorItem> <IndicatorItem id="cf7ef16f-a838-4e17-a21f-551c7c737858" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">02c65973b6018f5d473d701b3e7508b2</Content> </IndicatorItem> <IndicatorItem id="75929f3b-081f-4df0-b464-f1f256a609dc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">933b11bc4799f8d9f65466fb2e3ea659</Content> </IndicatorItem> <IndicatorItem id="4fa8838e-2668-4081-a83a-fb91d8cce1a8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">af2f7b070245c90bd2a0a0845314173a</Content> </IndicatorItem> <IndicatorItem id="b56bbb81-0344-4b4f-9d12-60765bc45bf9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">baabd9b76bff84ed27fd432cfc6df241</Content> </IndicatorItem> <IndicatorItem id="bb141ed4-e569-4ba2-a0dd-be481088d1fd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">588c40520a3cea27d2b35cd1fa05e23f</Content> </IndicatorItem> <IndicatorItem id="e3d10dac-f42b-41a2-828d-c7f0df2ab24d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0c5858f293aed44ea00eb9e0019609df</Content> </IndicatorItem> <IndicatorItem id="4f52d963-743e-444d-885c-1222938a1849" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">775459afc5415984dfa2a0f533011763</Content> </IndicatorItem> <IndicatorItem id="5f1e9bb3-2072-4dc9-bd51-175e75500e08" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6bf9083f1567edce004bd1f7c456659d</Content> </IndicatorItem> <IndicatorItem id="3165b381-f361-47e5-bfa2-6254b9a95f92" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f172ff6b65140f342e6ee51966ea3c4c</Content> </IndicatorItem> <IndicatorItem id="353086f3-f7d6-439f-8a7c-b7bf83ec4e10" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fe5ba680a96757ff232d4bad9c0db2b8</Content> </IndicatorItem> <IndicatorItem id="dc71ba29-82d1-494a-aedd-2f21a089406d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3f33c0dab564c35485fd227d97b98443</Content> </IndicatorItem> <IndicatorItem id="22587830-8355-4949-bac1-effe145e45c8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4c858a80df0d6de5d69824c9502b65cf</Content> </IndicatorItem> <IndicatorItem id="73f9e853-feb8-49e1-9373-c442800a3882" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9d75897d9c0a5da7e95082ea5ae1f648</Content> </IndicatorItem> <IndicatorItem id="f303cf23-b998-4fff-8b0f-dd427b93b00d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6deae79fc82df523ba99852266a33f9e</Content> </IndicatorItem> <IndicatorItem id="c0a9f30b-42c6-489c-a1a6-d68fb32d5741" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">08f21a020f41f0bcacdc9427f84987da</Content> </IndicatorItem> <IndicatorItem id="d4cc4757-d9a0-4e3d-a9e5-93fdda1328bd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9d7499c3a01daba5c9b5090b079808ca</Content> </IndicatorItem> <IndicatorItem id="5d96e91a-e8af-4279-aff8-f7ee1035b553" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">99a29ccea951a950040f3944abafed40</Content> </IndicatorItem> <IndicatorItem id="28e36290-156b-472b-8697-1fd83214f159" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cc7c8aba24c66373502ba5934696b7b6</Content> </IndicatorItem> <IndicatorItem id="c5bacb83-ed6a-449f-8435-aaa14829020d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e9f3a771196ef22e150559d9f819eea9</Content> </IndicatorItem> <IndicatorItem id="fba246d4-63a9-44d8-b683-7a8873edab4b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d0fb18b1e1f642f595a4746826350c21</Content> </IndicatorItem> <IndicatorItem id="7cd0d0f3-629d-4d23-9be6-f0e87ac83de4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">342939e5fe4770c545659a6bf1e50df4</Content> </IndicatorItem> <IndicatorItem id="a1ea4b28-4641-4d32-b3d9-77e88596e1e3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">03ae71eba61af2d497e226da3954f3af</Content> </IndicatorItem> <IndicatorItem id="25fe922f-8c85-4036-8b66-4c0a14035066" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bd402e910e03b70f00685d8b8be5093c</Content> </IndicatorItem> <IndicatorItem id="83b80c37-dc92-4520-ab62-244cdeabeb9d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7b3ce6c2af1acd119a25831fac670bab</Content> </IndicatorItem> <IndicatorItem id="2a32d815-3b5d-426e-b75d-1fa9d6669b19" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a34234a27157851300d9b698f6c56d9a</Content> </IndicatorItem> <IndicatorItem id="794fb4a0-ea6a-482f-9e0d-d247c8685518" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c4f144febf16ff8f36df15353d5347ce</Content> </IndicatorItem> <IndicatorItem id="5a2d6053-025b-46c2-b34e-3393d058a54a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2cdbeebcf4e0b6dbd24b8c7b4cd6d862</Content> </IndicatorItem> <IndicatorItem id="db42b8c8-8970-455b-893f-984bcd429fa5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">989b797c2a63fbfc8e1c6e8a8ccd6204</Content> </IndicatorItem> <IndicatorItem id="fe942121-30ee-48a0-ac71-ffb77fa9419b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f3611c5c793f521f7ff2a69c22d4174e</Content> </IndicatorItem> <IndicatorItem id="d1269ce0-b8ce-4687-a57d-e912eb453a87" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">609d917a7f0c526b0d8091c8191da376</Content> </IndicatorItem> <IndicatorItem id="73d21b20-8517-4c34-80d2-aab23275ffdb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">687a58dcbc076b04bef4ec6050310fb5</Content> </IndicatorItem> <IndicatorItem id="f6d336e8-8698-425c-bb52-39a177c16abc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">215df0c319b98dad4f202849b097f8b2</Content> </IndicatorItem> <IndicatorItem id="820cd5fe-38fc-46bd-8b8e-1e54123fc4c8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8387adb5325035baa3fe3a2b0cb4921a</Content> </IndicatorItem> <IndicatorItem id="16c32e93-5328-4c6e-b3d3-033276ceb53e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b43266a047b2895399f4883cfe37c089</Content> </IndicatorItem> <IndicatorItem id="31dabc58-f045-439c-8ca1-7a4cc5de75f1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">959c680c26f26e7f1dd61607942dc96a</Content> </IndicatorItem> <IndicatorItem id="9a222096-0778-45ed-9f1b-97097308d772" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ea61a0945bde3c6f41e12bc01928d37</Content> </IndicatorItem> <IndicatorItem id="b02ded2c-f824-4146-a3f1-e6fc5f6c5599" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4962cb3f255b2eaf48847c754d2a553d</Content> </IndicatorItem> <IndicatorItem id="42542bca-6c09-4f4b-a2e5-b54d69062a84" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">50a3aaaebae6cee7ecb150ac395276b9</Content> </IndicatorItem> <IndicatorItem id="17942e46-f4cc-4f97-a68b-24388656b57a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b8f61242e28f2edf6cb1be8781438491</Content> </IndicatorItem> <IndicatorItem id="be3d5ade-520e-421f-a09b-d65dd3346ada" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8fdb15f3d5480de78c61ccef23722683</Content> </IndicatorItem> <IndicatorItem id="01bce683-12e0-4566-aae4-8f819bfb4d6f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a2feee5e0ac3f825d4b7de7e0b95bb1f</Content> </IndicatorItem> <IndicatorItem id="c1bb4fad-f3f0-4d7a-861d-c4302e4b1f37" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">950234183528ce107d65b700be1bbbd3</Content> </IndicatorItem> <IndicatorItem id="7d002204-b850-4193-92d3-3016e95d59d1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">be58ff564c854be419a19a030af25c86</Content> </IndicatorItem> <IndicatorItem id="31268200-df2e-4252-8359-ae7a90433cc5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">68c67a6e26855ebc2569d67689c69a6e</Content> </IndicatorItem> <IndicatorItem id="fce682eb-b3e1-4d38-a42e-2de5eec1c850" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c39e272e9ea15d61e0c8e6b749a1ad46</Content> </IndicatorItem> <IndicatorItem id="69718092-b9ee-45a9-822c-1eaa4a997d39" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">17199ddac616938f383a0339f416c890</Content> </IndicatorItem> <IndicatorItem id="f0aeffcd-c53d-4176-8b7d-7018c848bf6f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea1b44094ae4d8e2b63a1771a3e61fd5</Content> </IndicatorItem> <IndicatorItem id="b771e7b8-6f7a-4f66-8714-faf593b28b7e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6eb99bed5b5fcb3fdb26f37aff2c9adb</Content> </IndicatorItem> <IndicatorItem id="024dd82e-75ed-4574-8ca0-9c55c63e354b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">17f6602f1c507b006b9d09eedcde0096</Content> </IndicatorItem> <IndicatorItem id="3179c759-84f6-46ca-8143-82908ebc34cd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fc1937c1aa536b3744ebdfb1716fd54d</Content> </IndicatorItem> <IndicatorItem id="ef39982f-d403-4c7a-a1ba-5c598ecc8dcc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">05bc8309b93676087d5fb0b58ad5e9d8</Content> </IndicatorItem> <IndicatorItem id="a68353b7-e572-4766-87f9-09b5e5428fe5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7a7a46e8fbc25a624d58e897dee04ffa</Content> </IndicatorItem> <IndicatorItem id="459bd1d1-b0e4-446a-931a-3471c2dd1718" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">77fbfed235d6062212a3e43211a5706e</Content> </IndicatorItem> <IndicatorItem id="c4703fed-7e16-4d10-a9df-0edbe18fbe1c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5f837bbfd3b458321070e2aebca4ec46</Content> </IndicatorItem> <IndicatorItem id="a19e1652-b5fd-4c7b-a201-0bdfa1bba90f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b6f2f483e03b9399f055a1ba5e0713a4</Content> </IndicatorItem> <IndicatorItem id="28ad0026-1864-4eaf-96fe-3029613345f5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">06598b0490133815541c5ac023623e82</Content> </IndicatorItem> <IndicatorItem id="b73a948f-25cf-4b6f-90bf-a5224d7edadf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">76c1b246703a10cb6e71a3e5b7b55b24</Content> </IndicatorItem> <IndicatorItem id="b61c3c5f-e034-47d8-bcba-c84628799458" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fdef1329ae626656c8389f82c4f9ad38</Content> </IndicatorItem> <IndicatorItem id="60f513ab-f989-41c1-b7a6-14338b505108" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b883f8e5a1420d1f511266b9253c11c4</Content> </IndicatorItem> <IndicatorItem id="24cbc42a-3990-4270-b87c-2e14ffeb17cb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6f4182baa5a57b717cb9d850dfadb60a</Content> </IndicatorItem> <IndicatorItem id="f8a37975-06eb-48f6-9ff1-72891d974715" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bce4b77a4e4acc70a3f6f52ec0a2f033</Content> </IndicatorItem> <IndicatorItem id="cdbac038-6f51-42ec-96c3-ae1bb9b0ca68" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0cad42671e5771574df44a23b3634f32</Content> </IndicatorItem> <IndicatorItem id="b224b921-23c9-4cc5-968c-0f31e1a9fe53" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e72fd40e47e232496b303734f1b2b11</Content> </IndicatorItem> <IndicatorItem id="0600e80a-95a5-4849-abf4-f5b0f037b3a3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">eb0c8b05ee6a4334f45968cf45656597</Content> </IndicatorItem> <IndicatorItem id="8528458b-c27e-4539-87d0-740419f90bc6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e32ab6a2eac5bd1cddd3146d1a1348b</Content> </IndicatorItem> <IndicatorItem id="c9b8eaf1-5f27-4f7d-89fe-d34c7f5ac6f9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">611c8f862864af818202865b78ad7ca8</Content> </IndicatorItem> <IndicatorItem id="4a1bbbc9-7936-40d6-bb12-ae6d0ebbef1c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">db2580f5675f04716481b24bb7af468e</Content> </IndicatorItem> <IndicatorItem id="e37f6f41-81e5-41cd-b3e1-4472636750eb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3de1bd0f2107198931177b2b23877df4</Content> </IndicatorItem> <IndicatorItem id="dabfafb0-f038-4c46-bae4-72c9b2c47ace" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d62cd4ad2a919b6acfa6d49d446dffdb</Content> </IndicatorItem> <IndicatorItem id="f9ae4070-21a5-4c49-bd11-ed725122736f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8153b612499dbf432e2d9805b20ae783</Content> </IndicatorItem> <IndicatorItem id="6a89b4c0-718d-4f6c-bbb2-0cfaa81360d6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">81b03cbcfc4b9d090cd8f5e5da816895</Content> </IndicatorItem> <IndicatorItem id="eff16361-6bcb-487f-b12f-7c7524975aa9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b5e9ce72771217680efaeecfafe3da3f</Content> </IndicatorItem> <IndicatorItem id="055e7e38-b434-481e-827d-d46104055c40" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">53b263dd41838aa178a5ced338a207f3</Content> </IndicatorItem> <IndicatorItem id="86a57228-9fe8-4ea9-952c-2bd01b4d79cd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6eebee2aebd5194db62cb8230502378c</Content> </IndicatorItem> <IndicatorItem id="c412bc98-8edc-424b-9416-33c7011bf3b8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b0538781d47dde1e9a46a2610155c2d3</Content> </IndicatorItem> <IndicatorItem id="8a2f5ff2-237c-4e45-835f-95b757469ed1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c1f60ffbc1ff1fb7241cb034b831c6de</Content> </IndicatorItem> <IndicatorItem id="3ff255fd-4cf6-4155-aaf5-de033933493e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">31b1d316b46c967c80fe7398a9e4cf41</Content> </IndicatorItem> <IndicatorItem id="3409584e-e89d-4b18-8f81-c0f3a96a22b6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">64fa1239f5aa9a9031e61533283f8c22</Content> </IndicatorItem> <IndicatorItem id="271340f5-a56b-4651-950f-ffc9e77c0ca0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">01e0dc079d4e33d8edd050c4900818da</Content> </IndicatorItem> <IndicatorItem id="b2dd815f-0016-4240-b831-7c3190aa3c0d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">567395a3c720fcd09eb75b6c188b8687</Content> </IndicatorItem> <IndicatorItem id="d74d9b5b-58d3-4ef4-a818-c83695a2a7af" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">79f3bac2826f8511c96240758af116b4</Content> </IndicatorItem> <IndicatorItem id="03f0423f-c6db-4ac4-9b57-319d43ecfb99" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">99a7e4a01b813b9b26ba76bf0b484742</Content> </IndicatorItem> <IndicatorItem id="f2b0f996-240f-4c98-84e1-795a91af6157" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">79841c13f645118a600d19def3642d1a</Content> </IndicatorItem> <IndicatorItem id="4fcc4a24-31f0-4de9-b404-19a84e785839" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7fc52a32337386d867a952a2c8644353</Content> </IndicatorItem> <IndicatorItem id="0d6bc525-8980-40eb-b177-25199a431e05" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d5fd1ce9189cd54f157d691e317c0821</Content> </IndicatorItem> <IndicatorItem id="ad26d135-7c06-444c-bd9c-148152936129" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">212c724346400853d05a4440cabd716c</Content> </IndicatorItem> <IndicatorItem id="ad2b7f76-8999-4855-be06-95fe7333eab7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">173cd315008897e56fa812f2b2843f83</Content> </IndicatorItem> <IndicatorItem id="f9691ac4-b7a6-4a68-8ab5-ca6d45166fca" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ac87816b9a371e72512d8fd82f61c737</Content> </IndicatorItem> <IndicatorItem id="3168aba4-6246-44d6-a79a-cd6b067f41ad" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">15137b710414e4e8508ac5ab27e2cbaa</Content> </IndicatorItem> <IndicatorItem id="8fdb58e5-116a-41ff-a7d2-46e56f9439c5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">24259ae8b0018b0ce9992fb1d9b69e2a</Content> </IndicatorItem> <IndicatorItem id="949db1fa-fc0c-41d9-90c9-ca9314c654ab" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b8dfe540bef505cd1adbd5f8ff31d028</Content> </IndicatorItem> <IndicatorItem id="b5419754-1d7e-4e0d-ba79-061896bf8389" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b1838a6c341260fbdaf288795cc63900</Content> </IndicatorItem> <IndicatorItem id="e105b49f-391e-45e7-86dd-eb2d8087e30d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">85c828f5ea5d99e0c98017f6d6be243f</Content> </IndicatorItem> <IndicatorItem id="a931fac9-3d66-4f67-a96b-eac1d080a898" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b92db06d17d3bf906c47a0384e771076</Content> </IndicatorItem> <IndicatorItem id="40fe973a-354a-440c-9c01-793d25556721" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ff9aa093a37819af65a06046ea0c830c</Content> </IndicatorItem> <IndicatorItem id="ccddc305-d691-4be8-9c78-333e2a036daf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">57cfef3e32e60df11b8d2c5375f3185c</Content> </IndicatorItem> <IndicatorItem id="80081b94-7df9-4aef-8137-73e0c2c8eefc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">150c4c1f589c4baa794160276a3d4aba</Content> </IndicatorItem> <IndicatorItem id="ca97b6b3-ae36-479e-b7ff-9363f3169447" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8dfbf8a46d3a302fd420305918e9414d</Content> </IndicatorItem> <IndicatorItem id="6610f26a-8c07-477c-9fa1-21dfd3050f15" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d4ba6430996fb4021241efc97c607504</Content> </IndicatorItem> <IndicatorItem id="42d0ed40-0e93-4624-b28a-2f1e02b71c71" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">268988aa1df82ab073f527b5b6c8bff7</Content> </IndicatorItem> <IndicatorItem id="549b908d-4d7c-42cb-bb21-ad2ca1c313fd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1baa7f5813e259c6346d1b02a1370d75</Content> </IndicatorItem> <IndicatorItem id="f59fdba5-77be-4958-8488-a5e7a476a21c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8454918f639a1b0719e00627f211d2ed</Content> </IndicatorItem> <IndicatorItem id="a7eb94d7-36d5-4b3e-b15c-905cfe3440f0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">75ff4bd6b209b6f10472c4cd22e3f9e6</Content> </IndicatorItem> <IndicatorItem id="f30a28b5-289b-44a4-a057-6bb48b209b50" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a96a6c91e71e243f00a64f53e2fd6415</Content> </IndicatorItem> <IndicatorItem id="e2a7d3c7-66e0-436c-b7ff-6dda4a2d182b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b3af1381f69e36b72e5b272f06aa1fa2</Content> </IndicatorItem> <IndicatorItem id="c98fb076-c73c-4339-9e81-1603d71c14cb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">35f32431a069398d25efda2dafa32d93</Content> </IndicatorItem> <IndicatorItem id="ca8a127b-c365-4406-bb58-d965f17d3072" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">543e03cc5872e9ed870b2d64363f518b</Content> </IndicatorItem> <IndicatorItem id="de622043-d18d-4570-9c41-785e1f926d04" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">830e5cd6d590aa65dd3e2c1a01b42259</Content> </IndicatorItem> <IndicatorItem id="69e791a7-621c-47fe-84d0-8c7c3c4c5539" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">286f48dda20e2ccc3250a6e09a130db1</Content> </IndicatorItem> <IndicatorItem id="f2b05d1a-ef70-47ae-bb16-0972c5673db8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b5a430a0696b5b25ae6b4fa5cbfe3333</Content> </IndicatorItem> <IndicatorItem id="abe084a6-95c9-4e2e-b50c-48634b049e8d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8f3d20c983f9d82a8ff17466f45ee757</Content> </IndicatorItem> <IndicatorItem id="d091bd18-9d30-4a5a-b73f-4e5686c7c61f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">390d1f2a620912104f53c034c8aef14b</Content> </IndicatorItem> <IndicatorItem id="9a0d7892-fe69-4f2b-b8b5-6bf1459adbf0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dfbc95c0eb1ac9b17b9db8053734b11b</Content> </IndicatorItem> <IndicatorItem id="0339701e-b944-4d36-a744-1a2d1dc4984a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">44066f29aab6a9379f8dd30f6bec257d</Content> </IndicatorItem> <IndicatorItem id="efa91ffd-9547-45e5-8f43-830b30630826" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">830a748959bdd1ad3b6a1f72aab6f063</Content> </IndicatorItem> <IndicatorItem id="71d2a49a-782a-4cec-8706-9d637847c256" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a807ad465b2fe5859c85626e97eaf907</Content> </IndicatorItem> <IndicatorItem id="37423a2a-23ec-4836-bc6c-e91e3bbbc139" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ace798670a64b38aa7d065c776b49f17</Content> </IndicatorItem> <IndicatorItem id="12571590-08e0-4061-b6d1-eb491408217c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0cf9e999c574ec89595263446978dc9f</Content> </IndicatorItem> <IndicatorItem id="b254ec57-2b1f-415e-9b4a-d0fa1824ec89" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fcdaa67e33357f64bc4ce7b57491fc53</Content> </IndicatorItem> <IndicatorItem id="d749c083-a4f7-40cc-8c67-28ac66e114d1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a311516cdf06d3db4f49e67da5213ebe</Content> </IndicatorItem> <IndicatorItem id="e6799d98-6e76-4b67-add5-543c27b1ce11" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dc78fd49b7f39fa3bb06b927e8413dd0</Content> </IndicatorItem> <IndicatorItem id="031173b9-3d67-4eb0-a9b2-cb0309e1d4ea" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">321d75c9990408db812e5a248a74f8c8</Content> </IndicatorItem> <IndicatorItem id="10e80b2c-58ec-4ee0-94ed-dab861d672f3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5bcaa2f4bc7567f6ffd5507a161e221a</Content> </IndicatorItem> <IndicatorItem id="2c8d7578-f766-410c-bafa-ad6b2c465d5b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d0d5a20c5a6c4fddab4d43b85632b6a9</Content> </IndicatorItem> <IndicatorItem id="e7727486-09ce-4567-9500-3ab2d7314def" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c99fa835350aa9e2427ce69323b061a9</Content> </IndicatorItem> <IndicatorItem id="8e383de5-dc05-41ba-bb1a-237d315752fc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7f1a4bc267ace340a5aa7a0b79cbf349</Content> </IndicatorItem> <IndicatorItem id="27c0377b-ae5d-47d8-b7b4-369a5e19d96e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6b6c4c0e2959df248be90d89899953a9</Content> </IndicatorItem> <IndicatorItem id="a3d15fc1-a35a-4427-a3d7-f2f32da400cb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">698fbe7ed1ddd7f5c76b86fad3f7a485</Content> </IndicatorItem> <IndicatorItem id="9d71ef02-d837-42d5-9697-01909ef67497" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c307bad133cc160a0129fda4c57e0f52</Content> </IndicatorItem> <IndicatorItem id="2be3fe72-f623-4db7-8546-37a789c51737" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">77dc072fdd632c12bacc09ceb8e6ee39</Content> </IndicatorItem> <IndicatorItem id="7d0a3622-cb89-4387-98df-46cce2c03eae" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1328eaceb140a3863951d18661b097af</Content> </IndicatorItem> <IndicatorItem id="ac970ae5-b767-4853-bc68-56e6902ac774" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9d85a2ae1e7971a49cb417d97797ac8a</Content> </IndicatorItem> <IndicatorItem id="ebdb3df3-a53c-4df9-bf81-abe1d85058bd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">08e0d0f5cdfe1bc2e5fc1b992fe1e073</Content> </IndicatorItem> <IndicatorItem id="5236ded3-932e-400d-9941-07da6e92de13" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">89164a973ae081991a973aa9d5cdee7c</Content> </IndicatorItem> <IndicatorItem id="998d432c-ea3a-4483-8c2d-90fbcb6aace6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cfce9478c880934b3548c3022a956e14</Content> </IndicatorItem> <IndicatorItem id="95907c16-e72e-4a13-916a-57d216ca5ba9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0583f58ac3d804d28cd433d369b096b8</Content> </IndicatorItem> <IndicatorItem id="8cc362ec-5bf7-4829-9374-35ab06631eea" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">15244d2321faa3a271ff0b1e5a23148f</Content> </IndicatorItem> <IndicatorItem id="f5a213e2-e862-4ba8-8f1c-03d5a8d150a0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">41d623c1de3b0d182c51e56b2a3f3fba</Content> </IndicatorItem> <IndicatorItem id="cfee9e99-7cf0-410c-a733-6d5955e9fc73" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ca327bc83fbe38b3689cd1a5505dfc33</Content> </IndicatorItem> <IndicatorItem id="d8911b27-17cf-4264-9a51-68d111a56068" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d34e357461c55d90c52309c1ff952b4c</Content> </IndicatorItem> <IndicatorItem id="61a03b1e-0e29-4636-b0e1-491b9cf40561" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">30a7aa13b1f8d272cb36576952e8b6c0</Content> </IndicatorItem> <IndicatorItem id="ced89bd9-a6cb-48b0-b401-b76a5b3f95cd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">089c9e5407ddb464dfeca2e528536395</Content> </IndicatorItem> <IndicatorItem id="fa8df09e-f458-4392-b8e2-733500f31483" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2976a62c2a829a153a9b0b5f433bdc77</Content> </IndicatorItem> <IndicatorItem id="f9951faf-1de8-4b86-927a-a800b7537245" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7aecb34616245eb6b2906358151be55b</Content> </IndicatorItem> <IndicatorItem id="fd457d34-2778-4cbe-978e-c95a7aa8dfba" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">86b1f3874bf741a3f9c0d74625af5f8d</Content> </IndicatorItem> <IndicatorItem id="a7134924-b7a0-4f1c-b818-4e38f2c2f63d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dd21d1ea2146861a4219b1cbdaefe59b</Content> </IndicatorItem> <IndicatorItem id="2238b0c8-37b7-49a9-83e4-4f1861409940" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5ff3269faca4a67d1a4c537154aaad4b</Content> </IndicatorItem> <IndicatorItem id="1e6db3c7-b93a-43e7-ae3d-dc44910f0c5b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cf9c2d5a8fbdd1c5adc20cfc5e663c21</Content> </IndicatorItem> <IndicatorItem id="031beb4a-f30c-4bb4-950f-99c9a762691f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">097b5abb53a3d84fa9eabda02fef9e91</Content> </IndicatorItem> <IndicatorItem id="15526961-181e-4767-81c1-22e7f5d0444c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4f763b07a7b8a80f1f9408e590f79532</Content> </IndicatorItem> <IndicatorItem id="54e1cfa7-5b9f-4dac-9b4d-732bb293815c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f627990bbe2ec5c48c180f724490c332</Content> </IndicatorItem> <IndicatorItem id="511936a6-ff5e-4463-ae3c-7c304387ec73" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5e42780f52763c77d592044e535e4b01</Content> </IndicatorItem> <IndicatorItem id="5dd6ca2f-564f-4d12-ae49-07c9b8c42705" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d16947b200afa74a917f055597b772c0</Content> </IndicatorItem> <IndicatorItem id="4b1620f4-94db-4cb7-98d1-7141c7568631" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c04c796ef126ad7429be7d55720fe392</Content> </IndicatorItem> <IndicatorItem id="9f36688c-aa19-4d6d-ac0e-58dbf963cdff" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">95d85aa629a786bb67439a064c4349ec</Content> </IndicatorItem> <IndicatorItem id="be21f52c-fe43-4511-9ab6-fc00e6b23282" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4c9c9dbf388a8d81d8cfb4d3fc05f8e4</Content> </IndicatorItem> <IndicatorItem id="4494ac88-9ec5-4190-b3c6-d083b6ce7c2d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">36d5c8fc4b14559f73b6136d85b94198</Content> </IndicatorItem> <IndicatorItem id="e07a2b0f-b23a-44d3-9047-5579172d4936" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5100f0a34695c4c9dc7e915177041cad</Content> </IndicatorItem> <IndicatorItem id="b60946dd-61b1-4e52-b3a2-577f717334cb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1415eb8519d13328091cc5c76a624e3d</Content> </IndicatorItem> <IndicatorItem id="3c518aee-4064-4202-8a4b-de3e8a10a40c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c41e44045cebebfba234063de8fd7c4d</Content> </IndicatorItem> <IndicatorItem id="d5216c57-dd11-4343-a269-97abf7e8c45d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a5b581c0600815b1112ca2fed578928b</Content> </IndicatorItem> <IndicatorItem id="ae8fd0ff-f4e9-4d36-ad1c-5d7ab6b5e4c6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0908d8b3e459551039bade50930e4c1b</Content> </IndicatorItem> <IndicatorItem id="a076efc9-286e-45ad-b1cf-10c1544614e5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a5d4ebc0285f0213e0c29d23bc410889</Content> </IndicatorItem> <IndicatorItem id="11395907-8fc0-48ff-ab5c-0fa2bf0e8d2b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d22863c5e6f098a4b52688b021beef0a</Content> </IndicatorItem> <IndicatorItem id="4226b629-8bff-4b2a-87a7-e5fac402c3cf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e87051b1dc3463f378c7e1fe398dc7d</Content> </IndicatorItem> <IndicatorItem id="8bbb0362-5760-4b81-9ec6-8732388d2e35" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4b19a2a6d40a5825e868c6ef25ae445e</Content> </IndicatorItem> <IndicatorItem id="b339ef46-6452-422a-9421-14c96a48bfd6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">70a55fdc712c6e31e013e6b5d412b0d6</Content> </IndicatorItem> <IndicatorItem id="1e74cabc-58df-4e91-8256-0a8cef0b8144" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7388d67561d0a7989202ad4d37eff24f</Content> </IndicatorItem> <IndicatorItem id="d9efea8e-5f1a-4893-81a1-3022410a2359" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">aa4f1ecc4d25b33395196b5d51a06790</Content> </IndicatorItem> <IndicatorItem id="6c044212-b4c3-42b1-98f0-a23db4579307" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ddf3db31f9fa21cd43ff19dde393aba8</Content> </IndicatorItem> <IndicatorItem id="0a45a393-c5bb-4abe-9fe5-55884ed3301e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d7796209412da17b2ee2ccf2309b4abf</Content> </IndicatorItem> <IndicatorItem id="eccbdeca-17e3-49e2-86e6-d9a958b282b0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">95f25d3afc5370f5d9fd8e65c17d3599</Content> </IndicatorItem> <IndicatorItem id="876efde6-d854-4985-b4bc-38eeaf6ef402" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">002325a0a67fded0381b5648d7fe9b8e</Content> </IndicatorItem> <IndicatorItem id="168e96c7-27ee-4dd9-83ef-42068e64e550" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a24112e4b875038331d2672b6427763c</Content> </IndicatorItem> <IndicatorItem id="2146b9ab-a964-4949-b0cf-0ee322674c97" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea7aeea782173eb19ef880c6a54456f2</Content> </IndicatorItem> <IndicatorItem id="78a4421d-77f0-4baa-8b0f-4e502e1e6341" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">31e5e58dbdfad05175613e795298ebb5</Content> </IndicatorItem> <IndicatorItem id="b0d3d267-a266-4f4a-bf73-bd4bf33895c1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">11504971bb85cdacb8ef7d45e6e2aeb7</Content> </IndicatorItem> <IndicatorItem id="13e6bd1c-3cb0-4045-8183-1bcba1a00bf0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">36c0d3f109aede4d76b05431f8a64f9e</Content> </IndicatorItem> <IndicatorItem id="3048ce00-8772-4297-b560-661bd502930a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e83f60fb0e0396ea309faf0aed64e53f</Content> </IndicatorItem> <IndicatorItem id="950b8512-8dae-4155-a5ce-f5a5a87d85fe" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">af2745e8888f2ba17a9cf2e0779d3874</Content> </IndicatorItem> <IndicatorItem id="742e90a6-04f6-4c3b-a5d3-99f524401478" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c69a708a2a8e4581dd95f90da3833840</Content> </IndicatorItem> <IndicatorItem id="ca3fb6b4-0230-4d9b-bc05-3030c8e35c70" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f4ed3b7a8a58453052db4b5be3707342</Content> </IndicatorItem> <IndicatorItem id="55e8ea00-8198-48b9-8706-858df3791137" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1e314c972075b8058099fd8759c11ce8</Content> </IndicatorItem> <IndicatorItem id="65937d7e-c289-4f93-9738-b1b70b9db291" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">75dad1ccabae8adeb5bae899d0c630f8</Content> </IndicatorItem> <IndicatorItem id="296b347b-44c5-4379-ab6e-47586c09008b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e54ce5f0112c9fdfe86db17e85a5e2c5</Content> </IndicatorItem> <IndicatorItem id="7708d1e5-a710-45ba-ab53-2b47bd1ebec2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5c6f30cc369cd164d44941d381e282cc</Content> </IndicatorItem> <IndicatorItem id="38bbe2e6-52e5-4546-a24b-7d8a8a7be008" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d7aa32b7465f55c368230bb52d52d885</Content> </IndicatorItem> <IndicatorItem id="03cc9226-6a52-4bdc-b8dd-5b59290e24e0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a241eec892637dec971bd925a40d3efb</Content> </IndicatorItem> <IndicatorItem id="79043b13-593d-44bb-a968-2cc4796ea553" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">55fb1409170c91740359d1d96364f17b</Content> </IndicatorItem> <IndicatorItem id="f831fe68-6ad9-4c3b-a458-da96e99bf51d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c91eacab7655870764d13ba741aa9a73</Content> </IndicatorItem> <IndicatorItem id="7a8dafce-2759-407f-b933-58f880373498" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">123505024f9e5ff74cb6aa67d7fcc392</Content> </IndicatorItem> <IndicatorItem id="3712e3ad-c73f-4ac6-a060-ae91e5f4b209" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">929802a27737cebc59d19da724fdf30a</Content> </IndicatorItem> <IndicatorItem id="6a0c1869-51f9-47bd-b5ab-6dccb1e5c4dc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a8b2ac446c614fd5d4880d95369deb3b</Content> </IndicatorItem> <IndicatorItem id="e2902c12-d2d9-4430-b52e-f50b3a3cda0f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">57e79f7df13c0cb01910d0c688fcd296</Content> </IndicatorItem> <IndicatorItem id="0dc669b3-4708-4b9a-8342-39908c8fda76" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8934aeed5d213fe29e858eee616a6ec7</Content> </IndicatorItem> <IndicatorItem id="6390e920-b130-40a9-9c47-65e95ce704d7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">871cc547feb9dbec0285321068e392b8</Content> </IndicatorItem> <IndicatorItem id="9992608a-b5ec-4de9-bc6c-ca680d901747" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fab6b0b33d59f393e142000f128a9652</Content> </IndicatorItem> <IndicatorItem id="e5e238fa-ee3c-4b90-bab0-f4e51686deb8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0b506c6dde8d07f9eeb82fd01a6f97d4</Content> </IndicatorItem> <IndicatorItem id="78f7038b-c6b3-43b0-9d4e-f008ffc3d39f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6808ec6dbb23f0fa7637c108f44c5c80</Content> </IndicatorItem> <IndicatorItem id="e206f2f2-91fa-4226-b125-b1d62a4d6a4d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9d93fc89fb6e0a8142e837b2de045fdd</Content> </IndicatorItem> <IndicatorItem id="2d4e4cea-ac61-4439-9103-2df82e51dd94" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">00dbb9e1c09dbdafb360f3163ba5a3de</Content> </IndicatorItem> <IndicatorItem id="bbbaa9f5-88b4-4769-9295-067830277580" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2ca8ba14ff07ef8616372c53ee84d20e</Content> </IndicatorItem> <IndicatorItem id="97fbb0b2-280f-4652-a875-3ab57069fd94" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1c16bd1488163c03cd506c2f71486a0f</Content> </IndicatorItem> <IndicatorItem id="fc91331f-c835-40e8-a9d0-c8805a056ec1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3a4cda1973cacd78740ff30774d6375e</Content> </IndicatorItem> <IndicatorItem id="af547634-8c89-45c3-b523-d1c69dee87bc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6377ec0c87f4ec1e7897751dd85d73d4</Content> </IndicatorItem> <IndicatorItem id="8d12f279-1dfd-49cb-9bc6-20c391e261c1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">257258344edad17f689b1c6d14833cbc</Content> </IndicatorItem> <IndicatorItem id="8a1917da-62fa-4907-bbe1-a346b341ecc0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">68e5bff12ac33ecb98977afed51ebad0</Content> </IndicatorItem> <IndicatorItem id="1da495ad-f5dd-4d85-af38-2e1eb9dcd87d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3107de21e480ab1f2d67725f419b28d0</Content> </IndicatorItem> <IndicatorItem id="aff25096-ef94-4f73-9d6c-b137d311b76d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">727a6800991eead454e53e8af164a99c</Content> </IndicatorItem> <IndicatorItem id="dc43aa34-8044-424e-9149-8afa4ff0c577" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c39bc83c16f9db8a7c43a966048bca7b</Content> </IndicatorItem> <IndicatorItem id="e8fa3d4f-1ed1-4649-9fe2-4a06dd4bf0f4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c72edb12880a9af12b439a7a2d0584c1</Content> </IndicatorItem> <IndicatorItem id="f23bf30c-ef3f-4534-ae43-5a1a27f9b299" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">11de4b1ab84bcb8dd28ef0ea4641f6d0</Content> </IndicatorItem> <IndicatorItem id="33566849-1f86-465f-9bd9-d3d72022c7f1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">338782d2df367156a2c7e12e9526c600</Content> </IndicatorItem> <IndicatorItem id="4fb0d58e-5b9d-4915-8df8-6a6b5047c285" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e689b1fb0610b752f42adafc403fa49f</Content> </IndicatorItem> <IndicatorItem id="99656710-b8a5-46e8-90eb-2bd5c875a1ca" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b86e89a42a1c1bc6ea15096c68e38ba4</Content> </IndicatorItem> <IndicatorItem id="051542fe-3415-415a-a8b1-fa809229fb26" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dd1bede0e42d26fd2439a6e48547023c</Content> </IndicatorItem> <IndicatorItem id="95f6e322-44c7-4ef4-848a-0fbe23c5fc1b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">370c50aea66cc338b37801e1bd1c244f</Content> </IndicatorItem> <IndicatorItem id="540da951-fcb2-43f1-89a3-495305c3fd10" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f0bab119faa296c680a10ba81693915e</Content> </IndicatorItem> <IndicatorItem id="8a03ee9e-5043-4ce1-8729-0c12a92a908d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">07ae235391f7b290ea3a35067239a290</Content> </IndicatorItem> <IndicatorItem id="f9e0e6f8-9b2b-4b81-833f-2ade30521be4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d47b04327157fb188c0e81886e346c48</Content> </IndicatorItem> <IndicatorItem id="4719129c-3284-4b72-a7e2-b67e1d76b3e9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">468ff2c12cffc7e5b2fe0ee6bb3b239e</Content> </IndicatorItem> <IndicatorItem id="b88fe4c2-2780-4e86-abc9-1fd01d05f1d2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">476fea8761a03bef16e322996c2f6666</Content> </IndicatorItem> <IndicatorItem id="24ee6705-c3d8-4304-9a06-4008a9a23449" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bf9aeefc53d97bb23d35d47986504cef</Content> </IndicatorItem> <IndicatorItem id="92f1ffb0-0478-433c-a45c-bdb3fca452a6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2daa4a4574ba06aa3203ae0e0b45b3b8</Content> </IndicatorItem> <IndicatorItem id="e80dbbec-1827-4c76-b561-4a826a74ec76" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d9fb6620e4402764bbf2088de02898ca</Content> </IndicatorItem> <IndicatorItem id="fbc4c735-31e5-4ea6-bd69-c8c8c49614b9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e476e4a24f8b4ff4c8a0b260aa35fc9f</Content> </IndicatorItem> <IndicatorItem id="590410e3-cbb5-4a58-aba7-2c8f849f7e07" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4e551abcd14506092a0f8d54a45f3569</Content> </IndicatorItem> <IndicatorItem id="c5debc8f-5481-4f4a-a8f1-f9e791be932e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a6117891e42ee7db36253b57839c8b8f</Content> </IndicatorItem> <IndicatorItem id="ee66514f-48be-4d66-88d3-058cb83c21c7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">61daab56e07dfa3a236d8aec9eb80545</Content> </IndicatorItem> <IndicatorItem id="2353a63c-c816-4a3f-aabd-3e7c451964f8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0b13a21fb9e12551685472fc76b4568a</Content> </IndicatorItem> <IndicatorItem id="9ba05a25-54a9-4288-8d9b-19d1633e382e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3f243b304358041fb163007e0c066d4a</Content> </IndicatorItem> <IndicatorItem id="0c862527-c7a6-4721-846b-674360e02d05" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e9df2f69ed3d9c895ad9d399eaff1bc8</Content> </IndicatorItem> <IndicatorItem id="60c2eb4a-09b9-4cdc-a25d-cdcb6b2d048a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">878e8edd77ceef481fa486d0f77bbcbf</Content> </IndicatorItem> <IndicatorItem id="95395c68-d46e-46cf-8c34-cab57248c436" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e649f31f7f3a7b15ce1290e8d096c058</Content> </IndicatorItem> <IndicatorItem id="d88551f7-346a-40f6-aff2-9d37b191b2a4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d8fdd9cfca25315635378dd2564094ca</Content> </IndicatorItem> <IndicatorItem id="8c17b911-940f-48e5-a9d3-a1a37b874a73" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3d61d23c2be95177937aa50769c0c512</Content> </IndicatorItem> <IndicatorItem id="b5e3109b-d003-4e43-ae1b-dd211ce39546" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c3de028cbc5aa0934008d95689d5f334</Content> </IndicatorItem> <IndicatorItem id="dddc6df3-bd6a-4f9c-b64c-e41eb6a2a160" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a1468ce16f2d17979cc1a61878c1c8c6</Content> </IndicatorItem> <IndicatorItem id="5515aa67-956d-453e-a5f7-21cbc3b6bc01" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bc756bb6bf4e7b2058e8dce6ba8b1a79</Content> </IndicatorItem> <IndicatorItem id="fefb9769-9a14-4e4b-bb43-b11ac1ea5d20" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f24b4d7a2dfc2cf2625985e880e52356</Content> </IndicatorItem> <IndicatorItem id="e4ba4a24-5fa0-43b1-a710-55c1060ffbe4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0c5e9f564115bfcbee66377a829de55f</Content> </IndicatorItem> <IndicatorItem id="5ad007ee-80eb-4111-bf39-4beb81513c04" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6f9992c486195edcf0bf2f6ee6c3ec74</Content> </IndicatorItem> <IndicatorItem id="9af5d073-4bcc-4b57-8add-450b271b8d7c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3a45d4bfd1f919f167ce4a5e5ba00e15</Content> </IndicatorItem> <IndicatorItem id="bdd720ac-a60c-48e5-a701-11bce6df9481" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">43b844c35e1a933e9214588be81ce772</Content> </IndicatorItem> <IndicatorItem id="7f63da93-6a36-4931-bbc1-305ee9445d3a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0d0240672a314a7547d328f824642da8</Content> </IndicatorItem> <IndicatorItem id="ad091b9c-f29a-4f0f-a50a-a0d11290feb7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1a0c7e61bcc50d57b7bcf9d9af691de5</Content> </IndicatorItem> <IndicatorItem id="5fffb910-e9d0-4919-8fc0-7afb3eabe2e6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9e860622fee66074dfe81dcfcc40c4e2</Content> </IndicatorItem> <IndicatorItem id="55fe4b5d-70ed-448e-ba29-26e285605e6f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4c6bddcca2695d6202df38708e14fc7e</Content> </IndicatorItem> <IndicatorItem id="0484c86e-0cc7-4f45-93b2-ccaa72d35abd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">585691777080b419b523938edd3ba2d6</Content> </IndicatorItem> <IndicatorItem id="2f0e18e2-3d62-4d5f-8523-0f5deee4e6a2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">eefa8d6c9a26dcc13604b11bbe5635c1</Content> </IndicatorItem> <IndicatorItem id="4c974f84-2a25-4971-8926-c08927cd92f6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8d251ef81b1e2251601a7b2b0c03ec05</Content> </IndicatorItem> <IndicatorItem id="f3a6eafd-ea13-4671-89f7-54441ffa55c2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bd15714360c12ffca4c3c1e86fc69d0e</Content> </IndicatorItem> <IndicatorItem id="a83301c8-e493-4376-aa6d-d0900fe3de18" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b54f58c484f56c704858ccfffbb9d535</Content> </IndicatorItem> <IndicatorItem id="efbc08ef-d619-402b-8958-31d69ca7ab41" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ca27a87928443e21dc279008008018ba</Content> </IndicatorItem> <IndicatorItem id="132a00f2-2ea7-4840-a64a-61dd8e5f6a41" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f6549d4a4097bac446acf8b31d250d2e</Content> </IndicatorItem> <IndicatorItem id="5117db30-f6e1-48a7-85c3-5fc54bd09520" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7a660a9e48f6065333f388f2c0a67bd8</Content> </IndicatorItem> <IndicatorItem id="0a82d11c-ef7e-45e1-b1d9-afb1908c132b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">759b320aca72ba446e7e156407ebc10d</Content> </IndicatorItem> <IndicatorItem id="2d23d214-8c30-4615-a7f8-502377704091" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bc723e4f93a3bf85f4d1e1910393d1a3</Content> </IndicatorItem> <IndicatorItem id="9450b911-ff5b-4ca2-9291-f77794b911ac" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3f19992be3606c136b15041207daf6e4</Content> </IndicatorItem> <IndicatorItem id="e16a4b65-7734-4a99-ab70-5bd5d2ed2973" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">54d5d171a482278cc8eacf08d9175fd7</Content> </IndicatorItem> <IndicatorItem id="c126266f-2951-4a8f-89b9-8e20f568b08f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d271ae0f4e9230af3b61eafe7f671fde</Content> </IndicatorItem> <IndicatorItem id="48a465c4-15ee-43c6-b54d-efc49ab756a5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9675827a495f4ba6a4efd4dd70932b7c</Content> </IndicatorItem> <IndicatorItem id="78db76ec-e88d-4910-9cc8-bce5a97300d6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d8238e950608e5aba3d3e9e83e9ee2cc</Content> </IndicatorItem> <IndicatorItem id="a9781e3b-ae53-4128-a71b-cee9245ff0b6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">17f5a2e0997b59449ca2120b20b5b7ce</Content> </IndicatorItem> <IndicatorItem id="dee91341-74a3-4abc-86d9-fef25e10d246" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6bf8f1f99ac5bba0db1b66518df378a4</Content> </IndicatorItem> <IndicatorItem id="12d4130f-cc2e-4381-bd02-b3d44f4833b4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c6a4bb1a4e4f69ec71855d70d6960859</Content> </IndicatorItem> <IndicatorItem id="c2be8c2c-0d24-4456-aefd-b23eb2b6f0b9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">689dcd40d5eae8c0d315265f3d90ffae</Content> </IndicatorItem> <IndicatorItem id="d5140a1b-8e85-4dfb-b63a-1acc5eef20b1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e480c8839e819eaa9b19d53acfa95052</Content> </IndicatorItem> <IndicatorItem id="b0b379f8-7193-4a0a-af42-efea99dc4af9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8cda4e0ee20ddd00003caf7947af7fe4</Content> </IndicatorItem> <IndicatorItem id="c67a21b6-8a52-48f7-bea9-713f9e90b2ac" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4788960e489197f2633f581607eb0d26</Content> </IndicatorItem> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-b934ce84-ff5e-42d9-8c61-bee975f32b02"> <indicator:Title>WEBC2-TABLE (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Downloader</indicator:Type> <indicator:Description> The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TABLE variant looks for web pages containing 'background', 'align', and 'bgcolor' tags to be present in the requested Web page. If the data in these tags are formatted correctly, the malware will decode a second URL and a filename. This URL is then retrieved, written to the decoded filename and executed. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-b6d6fb31-f0d1-4c76-9dc7-fd18d7c99a61"/> <cybox:Observable idref="mandiant:observable-d0aa3f97-a750-44c2-9997-ac2dc9b877a9"/> <cybox:Observable idref="mandiant:observable-57fb3999-92a2-4c02-b5ec-0e05e151b0c7"/> <cybox:Observable idref="mandiant:observable-4685be44-fde1-4cfa-a08a-c5dc536f461b"/> <cybox:Observable idref="mandiant:observable-74f6d69a-7497-4553-aa6b-d43b5821a7d4"/> <cybox:Observable idref="mandiant:observable-27a80dc4-6220-4b79-adae-6100cdbcad22"/> <cybox:Observable id="mandiant:observable-2d92225b-73ef-4173-81f7-0d5f2f8a4305"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-5eef2e99-9a20-4513-ada7-74e06d9c3fc2"/> <cybox:Observable id="mandiant:observable-4bf94904-7f68-4cab-ad5e-ffe74092b4e6"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-bd596294-f70f-4401-bea6-5069ba7bd850"/> <cybox:Observable idref="mandiant:observable-b451f468-0c0f-475f-9493-9b67ddf9050e"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-bb68f7b8-5b81-4cf8-a19f-fd1a07dad350"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2c81eec5-d9df-4726-ac36-1629970bf2fc"/> <cybox:Observable idref="mandiant:observable-da67532b-372e-4f1f-8631-f4e0ae1185f5"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-e46bf492-2d93-4392-900e-5a18879b886d"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-81a968a6-91db-4098-a9fc-0dc99871db9f"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-a784718d-0dff-462c-8b26-ca1114361fe9"/> <cybox:Observable idref="mandiant:observable-079200ea-25ad-4d16-ab0b-9dd72b49b919"/> <cybox:Observable idref="mandiant:observable-56afacfd-0e57-4061-8677-24f1bcb36ab0"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-940e5191-e17f-4a7d-87d7-8140fa0b56c6"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-5c1fc3c1-fd6a-4848-9d7e-5bbbdd8c21b1"/> <cybox:Observable idref="mandiant:observable-8371563b-64e3-4461-a0f3-63e429f5ad70"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-484fbfb5-adb7-4fba-9598-c6d340f1b010"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-e93266a8-02fb-422c-981f-6af800981077"/> <cybox:Observable idref="mandiant:observable-ce68864a-3815-4fd6-8e29-d1a5d3b91269"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="9c9368cd-3a1f-4200-b093-adb97d5f1f5d" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-TABLE (FAMILY)</short_description> <description>The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TABLE variant looks for web pages containing 'background', 'align', and 'bgcolor' tags to be present in the requested Web page. If the data in these tags are formatted correctly, the malware will decode a second URL and a filename. This URL is then retrieved, written to the decoded filename and executed.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Downloader</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">WEBC2-TABLE</link> </links> <definition> <Indicator operator="OR" id="b934ce84-ff5e-42d9-8c61-bee975f32b02"> <IndicatorItem id="b6d6fb31-f0d1-4c76-9dc7-fd18d7c99a61" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7a7a46e8fbc25a624d58e897dee04ffa</Content> </IndicatorItem> <IndicatorItem id="d0aa3f97-a750-44c2-9997-ac2dc9b877a9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">be58ff564c854be419a19a030af25c86</Content> </IndicatorItem> <IndicatorItem id="57fb3999-92a2-4c02-b5ec-0e05e151b0c7" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">help\svchost.exe</Content> </IndicatorItem> <IndicatorItem id="4685be44-fde1-4cfa-a08a-c5dc536f461b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">sdwefa.gif</Content> </IndicatorItem> <IndicatorItem id="74f6d69a-7497-4553-aa6b-d43b5821a7d4" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">Microsoft\wuauclt.exe</Content> </IndicatorItem> <IndicatorItem id="27a80dc4-6220-4b79-adae-6100cdbcad22" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">help\svchost.exe</Content> </IndicatorItem> <Indicator operator="AND" id="2d92225b-73ef-4173-81f7-0d5f2f8a4305"> <IndicatorItem id="5eef2e99-9a20-4513-ada7-74e06d9c3fc2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <Indicator operator="OR" id="4bf94904-7f68-4cab-ad5e-ffe74092b4e6"> <IndicatorItem id="bd596294-f70f-4401-bea6-5069ba7bd850" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wuauclt.exe</Content> </IndicatorItem> <IndicatorItem id="b451f468-0c0f-475f-9493-9b67ddf9050e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="bb68f7b8-5b81-4cf8-a19f-fd1a07dad350"> <IndicatorItem id="2c81eec5-d9df-4726-ac36-1629970bf2fc" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">10240</Content> </IndicatorItem> <IndicatorItem id="da67532b-372e-4f1f-8631-f4e0ae1185f5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-16T07:10:50Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="e46bf492-2d93-4392-900e-5a18879b886d"> <Indicator operator="OR" id="81a968a6-91db-4098-a9fc-0dc99871db9f"> <IndicatorItem id="a784718d-0dff-462c-8b26-ca1114361fe9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <IndicatorItem id="079200ea-25ad-4d16-ab0b-9dd72b49b919" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir"/> <Content type="string">Generic Host Process for Win32 Services</Content> </IndicatorItem> <IndicatorItem id="56afacfd-0e57-4061-8677-24f1bcb36ab0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="940e5191-e17f-4a7d-87d7-8140fa0b56c6"> <IndicatorItem id="5c1fc3c1-fd6a-4848-9d7e-5bbbdd8c21b1" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wuaclt.exe</Content> </IndicatorItem> <IndicatorItem id="8371563b-64e3-4461-a0f3-63e429f5ad70" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">help\svchost.exe</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="484fbfb5-adb7-4fba-9598-c6d340f1b010"> <IndicatorItem id="e93266a8-02fb-422c-981f-6af800981077" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">currentversion\run</Content> </IndicatorItem> <IndicatorItem id="ce68864a-3815-4fd6-8e29-d1a5d3b91269" condition="is"> <Context document="RegistryItem" search="RegistryItem/ValueName" type="mir"/> <Content type="string">AdobeCom</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-10df11ab-c69e-4f7a-b44b-52b4d3824007"> <indicator:Title>BISCUIT (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> BISCUIT provides attackers with full access to an infected host. BISCUIT capabilities include launching an interactive command shell, enumerating servers on a Windows network, enumerating and manipulating process, and transferring files. BISCUIT communicates using a custom protocol, which is then encrypted using SSL. Once installed BISCUIT will attempt to beacon to its command/control servers approximately every 10 or 30 minutes. It will beacon its primary server first, followed by a secondary server. All communication is encrypted with SSL (OpenSSL 0.9.8i). </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2fa0874d-9c46-43d3-8fd9-6a042da17ade"/> <cybox:Observable idref="mandiant:observable-d24ee18d-f0b6-4d83-bc53-05cfe0d9cd3d"/> <cybox:Observable idref="mandiant:observable-4e197d86-fb67-4df7-a36e-ff5028eebac3"/> <cybox:Observable idref="mandiant:observable-8a7f6dbb-a84c-41bc-b608-346aaa7bb3b2"/> <cybox:Observable idref="mandiant:observable-8930ade3-1c85-4847-be0d-8427004d612d"/> <cybox:Observable idref="mandiant:observable-8fbdbbd0-d7da-4a19-9218-0e058cf8b18f"/> <cybox:Observable idref="mandiant:observable-d1d1b452-8db5-45d9-9a63-cce3a33426fd"/> <cybox:Observable idref="mandiant:observable-f883131c-f756-466d-b16f-cad183b228ad"/> <cybox:Observable idref="mandiant:observable-d4c672d3-88eb-4f22-8553-f8cbb376ced2"/> <cybox:Observable idref="mandiant:observable-204e7327-0e0c-4cba-a595-f61a7d60e840"/> <cybox:Observable idref="mandiant:observable-0558aa4b-6126-4621-bb95-f276c7107745"/> <cybox:Observable idref="mandiant:observable-cf3e8804-fcd6-4f2b-a4c1-52d2fea7eff2"/> <cybox:Observable idref="mandiant:observable-5efec108-ba4f-4519-a779-0ea573127fb8"/> <cybox:Observable idref="mandiant:observable-888f495c-08ef-46e7-aa45-05b324071b56"/> <cybox:Observable idref="mandiant:observable-76e93ed6-826c-42f8-916a-23de349fb622"/> <cybox:Observable idref="mandiant:observable-10d7f76a-5b8c-4fc1-b373-26278d7f530b"/> <cybox:Observable idref="mandiant:observable-f6a9ab21-43a3-4eb2-995c-42814a0e6003"/> <cybox:Observable idref="mandiant:observable-b6429584-2467-4f20-9b84-edb96212aab9"/> <cybox:Observable idref="mandiant:observable-0665b3ac-863a-4886-8b27-aa04223b038b"/> <cybox:Observable idref="mandiant:observable-c8955f74-70e3-4bb8-9793-22f31ccf307c"/> <cybox:Observable idref="mandiant:observable-95bdaae1-b151-42b1-99b0-4887617d8288"/> <cybox:Observable idref="mandiant:observable-97651762-c8f4-42fd-9f38-151372a06610"/> <cybox:Observable idref="mandiant:observable-d5c24431-7fb7-47d6-9720-67c7dbcab2ba"/> <cybox:Observable idref="mandiant:observable-a119b647-4dd7-4c67-b7e7-4640d164d082"/> <cybox:Observable idref="mandiant:observable-c9032003-14c2-4437-a0e8-ab5a54f975f3"/> <cybox:Observable idref="mandiant:observable-377925c6-0383-4da3-9eed-4ec34576425c"/> <cybox:Observable idref="mandiant:observable-90982168-dcce-4180-905d-9d3f5c462e45"/> <cybox:Observable idref="mandiant:observable-87b997f2-0f33-4aeb-8910-c9ba92ec1650"/> <cybox:Observable idref="mandiant:observable-60ee0427-74cc-494a-9895-45a320e42d0e"/> <cybox:Observable idref="mandiant:observable-3656d515-5956-47e2-9221-93156eeb878e"/> <cybox:Observable idref="mandiant:observable-a3c9a57e-c858-4e0a-bd20-10e775f20c41"/> <cybox:Observable idref="mandiant:observable-fabb66bc-d82f-474c-bba6-6e0425b13b73"/> <cybox:Observable idref="mandiant:observable-cd1c45bc-dff7-4ddc-8642-e2b4b946edc6"/> <cybox:Observable idref="mandiant:observable-2da2476b-9152-4b4c-bcca-05b5cee9078f"/> <cybox:Observable idref="mandiant:observable-2a36beb6-03bf-4035-8028-f938f04f9a94"/> <cybox:Observable idref="mandiant:observable-d0a234db-b50f-448d-88cd-e06940043796"/> <cybox:Observable idref="mandiant:observable-034ff744-892d-441e-84b5-fe922abed392"/> <cybox:Observable idref="mandiant:observable-a8c463e9-1d78-4d6e-b8c5-5bfb922860ae"/> <cybox:Observable idref="mandiant:observable-44046fc8-7c02-42c6-b26c-b1623eb7b16c"/> <cybox:Observable idref="mandiant:observable-53877678-f17e-4da1-9336-698063493cc6"/> <cybox:Observable idref="mandiant:observable-b50152f3-886e-4132-81f2-bceb91b96629"/> <cybox:Observable idref="mandiant:observable-08f7fb65-8884-4b6e-abdc-c09c064d7a3a"/> <cybox:Observable idref="mandiant:observable-8d12babf-fa50-4637-af25-e313cfbaee21"/> <cybox:Observable idref="mandiant:observable-b7ca6cf3-b21e-4ce5-b66a-5cd57ea4907d"/> <cybox:Observable idref="mandiant:observable-6d0cc478-3e68-440a-a6bf-e9b00e9acf85"/> <cybox:Observable idref="mandiant:observable-e9d45424-4a97-4ca6-a6da-6abdf9d25764"/> <cybox:Observable idref="mandiant:observable-3a44244a-ead8-48f4-8e4a-b5fcadee81bf"/> <cybox:Observable idref="mandiant:observable-28104725-75b2-4abf-8269-4f854514a608"/> <cybox:Observable idref="mandiant:observable-e0da4965-b6c6-4afe-a6f6-eede4fc3177d"/> <cybox:Observable idref="mandiant:observable-294bb491-f96f-4bab-a8b5-c26f65d2acb7"/> <cybox:Observable idref="mandiant:observable-f836ade2-a72e-4b30-8c56-cb95d341c828"/> <cybox:Observable idref="mandiant:observable-92c6e3af-79e1-42dc-a02e-4505e1d6e459"/> <cybox:Observable idref="mandiant:observable-6c09d8f4-fae6-41e6-892e-e0bc785d5cc6"/> <cybox:Observable id="mandiant:observable-1267b5c9-1ad8-4fb6-b6b8-86a0b8ab72ca"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-92bdc4b1-584a-46db-9c72-534ab9036894"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-037dfc3e-7d9d-4630-90a5-dee0c18f407f"/> <cybox:Observable idref="mandiant:observable-34bde6bc-b8b0-496a-801e-40ed15bee252"/> <cybox:Observable idref="mandiant:observable-c16e08f5-98b9-42de-8001-d386041c368e"/> <cybox:Observable idref="mandiant:observable-18f232ee-cd67-47e1-9a2e-fdd3298233c3"/> <cybox:Observable idref="mandiant:observable-71df27ee-4eda-4afc-8409-ec4c58da3473"/> <cybox:Observable idref="mandiant:observable-ad64b6cf-4af2-4f3d-a2e0-2fe3e6b30cdc"/> <cybox:Observable idref="mandiant:observable-fc106d4b-f060-46f5-80c8-ce8033193fdd"/> <cybox:Observable idref="mandiant:observable-cde6ab63-addc-4103-a889-b56c4524b701"/> <cybox:Observable idref="mandiant:observable-4016c737-ebe6-4aa0-a739-7c46f0af893e"/> <cybox:Observable idref="mandiant:observable-5c550ff6-3986-48cf-a2d5-fcfd41f20b0a"/> <cybox:Observable idref="mandiant:observable-f454c870-cb2e-4a9e-b31d-0f9d068aca31"/> <cybox:Observable idref="mandiant:observable-7f4075e2-7dac-4b0e-a276-7eb14c70d765"/> <cybox:Observable idref="mandiant:observable-bd302583-bcf1-4e69-9e8e-f0c973a53cea"/> <cybox:Observable idref="mandiant:observable-02e5a04d-e5ef-48a8-b455-c6c1c325925c"/> <cybox:Observable idref="mandiant:observable-6f87cd10-39d3-413b-b3ca-52ba7a124f49"/> <cybox:Observable idref="mandiant:observable-28924f62-5441-4632-97d2-5d35a4213976"/> <cybox:Observable idref="mandiant:observable-c14a804e-cf50-41bf-88c4-550a25a2103b"/> <cybox:Observable idref="mandiant:observable-99013664-03ee-41a3-a38a-ef120f81cb58"/> <cybox:Observable idref="mandiant:observable-44055711-fe03-48b4-b8d2-50be225edad8"/> <cybox:Observable idref="mandiant:observable-54a85d32-a165-449f-8b6b-f8203a69b954"/> <cybox:Observable idref="mandiant:observable-77d26675-49f2-4cde-8991-460e2da658eb"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-61cc97ad-3c83-4659-adba-589f6a1ad052"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-36b204ba-de10-486c-98b6-288c0c2ac6d8"/> <cybox:Observable idref="mandiant:observable-90242cd9-546d-4966-bdaa-d4467018c25a"/> <cybox:Observable idref="mandiant:observable-7d8fceb3-7717-41bb-bdc1-61a29d0028ba"/> <cybox:Observable idref="mandiant:observable-50de64c1-250c-45f0-a66d-a03be1e88a1f"/> <cybox:Observable idref="mandiant:observable-8d335f68-cdf6-4aac-aaa4-7aab25cc0fea"/> <cybox:Observable idref="mandiant:observable-29ce9cb1-3829-47f0-b933-6fea33cb61b0"/> <cybox:Observable idref="mandiant:observable-5af465c1-ee05-441c-8b4f-687a13c442d9"/> <cybox:Observable idref="mandiant:observable-2fc67e5b-4b1d-4135-919d-3c15aac0b494"/> <cybox:Observable idref="mandiant:observable-1e5a489d-61ff-4079-aaf2-7dc8fa96d977"/> <cybox:Observable idref="mandiant:observable-f511fe11-750f-40cf-bb04-348e3a465d49"/> <cybox:Observable idref="mandiant:observable-4c0947d0-3f60-4c95-a587-580bce510b1b"/> <cybox:Observable idref="mandiant:observable-b81acf6e-417c-44f2-ab24-da18c03965ae"/> <cybox:Observable idref="mandiant:observable-bc69843a-17ac-42de-82bb-1a15123dc1a2"/> <cybox:Observable idref="mandiant:observable-fc2df9d6-0533-4850-8421-310d6c90813f"/> <cybox:Observable idref="mandiant:observable-97c2473e-edac-49f7-b5f2-4b98bb62e1a9"/> <cybox:Observable idref="mandiant:observable-f3f6a93d-912f-450a-a3d2-1e92a03b64b5"/> <cybox:Observable idref="mandiant:observable-8aad2a97-39dc-4f48-841f-3cd77cb86cc8"/> <cybox:Observable idref="mandiant:observable-3f9eb2e3-e31c-451f-9dc0-555d76dbf4b4"/> <cybox:Observable idref="mandiant:observable-ea4ed5d7-ae07-43eb-b5b3-205cde14f99f"/> <cybox:Observable idref="mandiant:observable-8ecebf97-b3fa-4aa7-aeb9-c811031aaf9c"/> <cybox:Observable idref="mandiant:observable-c0f94cf2-ac62-4ad2-9c92-7d3423524757"/> <cybox:Observable idref="mandiant:observable-e4bef386-82c5-42f1-841f-2416583b10c8"/> <cybox:Observable idref="mandiant:observable-6165ef6f-3e35-4930-9b09-da0bb501cc96"/> <cybox:Observable idref="mandiant:observable-c1b8d482-5742-41ad-96a5-6cc84d9e2c37"/> <cybox:Observable idref="mandiant:observable-ddb29c02-9846-49a6-9593-a47847be732d"/> <cybox:Observable idref="mandiant:observable-12ea288b-3707-4d7c-8eb6-050b0af38b6e"/> <cybox:Observable idref="mandiant:observable-0f2ab503-9e54-4ac2-ac20-fc1118088afd"/> <cybox:Observable idref="mandiant:observable-49d7c7ee-c519-4d9a-92e4-d6e7a129229b"/> <cybox:Observable idref="mandiant:observable-90ecc391-05ed-4eb4-8ad4-5a6303060a6f"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-e3bf90e4-eb4a-4683-a817-9c2a917f4655"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-711ea5c1-93fd-44d6-bdfb-0de824ff4a09"/> <cybox:Observable idref="mandiant:observable-638f1639-79f0-40a6-acff-f8abbfb615e2"/> <cybox:Observable idref="mandiant:observable-21f15ae5-0e27-4634-9dd4-fdcab5b00301"/> <cybox:Observable idref="mandiant:observable-3c443832-797d-44c2-a62f-d56b41c3431f"/> <cybox:Observable idref="mandiant:observable-30100aff-c0e3-4818-b46e-6787327f8a1a"/> <cybox:Observable idref="mandiant:observable-bcb220a3-50f9-43ec-a55c-a52f90e1c779"/> <cybox:Observable idref="mandiant:observable-500257fb-af21-4981-985f-ebccdfb6641a"/> <cybox:Observable idref="mandiant:observable-87e53cc0-7898-45ab-a5e5-bd42567053dc"/> <cybox:Observable idref="mandiant:observable-d7e24af2-a583-408f-ad48-0c14e6e4f360"/> <cybox:Observable idref="mandiant:observable-1b530efc-85d9-49cf-8d72-17860dcb49fe"/> <cybox:Observable idref="mandiant:observable-2731fa87-36a1-432c-a408-6484a5e593f8"/> <cybox:Observable idref="mandiant:observable-ba4f0587-bf1e-4830-99e8-9efe07904d07"/> <cybox:Observable idref="mandiant:observable-a6c97c28-a44f-4b46-9537-7c433c670244"/> <cybox:Observable idref="mandiant:observable-a3bf514e-f634-4531-b9e0-6de1b3d0c4d8"/> <cybox:Observable idref="mandiant:observable-1a433fc4-39d6-4f4f-8dac-6d83f3f9f685"/> <cybox:Observable idref="mandiant:observable-6318dd4f-b1d4-4022-9ea0-93d3b561744a"/> <cybox:Observable idref="mandiant:observable-98a89637-0403-4967-babf-e31546ba39fa"/> <cybox:Observable idref="mandiant:observable-129fff37-b218-48df-820b-aebb325f2611"/> <cybox:Observable idref="mandiant:observable-0a073e04-6778-40f3-bfae-ed3eb8b46ed1"/> <cybox:Observable idref="mandiant:observable-4d677650-5373-4fa2-8d77-bd5fca86dc38"/> <cybox:Observable idref="mandiant:observable-24f4b96e-46bf-43ae-9cb5-c25ac6fc36f9"/> <cybox:Observable idref="mandiant:observable-ada070dc-7615-47ab-bac5-a8becc87b4fc"/> <cybox:Observable idref="mandiant:observable-2ee86912-e2e9-4a0a-bb54-0b19fa74418c"/> <cybox:Observable idref="mandiant:observable-c9eed4ec-2ebe-4bd5-9150-76f7d6cf0e8f"/> <cybox:Observable idref="mandiant:observable-e8919344-fd16-4c39-9811-563e77359924"/> <cybox:Observable idref="mandiant:observable-6c97d939-b699-46c9-af68-cd3a9d26eb24"/> <cybox:Observable idref="mandiant:observable-6dc1a5c1-cda9-47fc-9fe7-11e3433f3682"/> <cybox:Observable idref="mandiant:observable-7bc24894-a4ea-430f-aac5-12f4b4afa84a"/> <cybox:Observable idref="mandiant:observable-d191f9cc-8cfb-4761-aeca-3fed66493e27"/> <cybox:Observable idref="mandiant:observable-449b69ae-9af5-4614-8071-74751ee11b1d"/> <cybox:Observable idref="mandiant:observable-ae5377a9-14c1-413f-8fa2-006ac9a060b0"/> <cybox:Observable idref="mandiant:observable-3ddc54ff-0a4d-4a6d-8bb9-cc0aaf1b8200"/> <cybox:Observable idref="mandiant:observable-a0a53167-d29a-448a-9316-61c056c2b7c9"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-23071edc-e5c9-4127-8de5-7b58f8c25496"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-9059fdf6-0e03-413b-b0a4-3bb1c38194f7"/> <cybox:Observable idref="mandiant:observable-2ab4f3c0-70fe-406d-9eff-bc9a2274042f"/> <cybox:Observable id="mandiant:observable-f95a9be5-4e29-4681-aa4a-80bce489ce1d"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-09e43b8e-cfb8-43ad-9f3e-1619a113ee70"/> <cybox:Observable idref="mandiant:observable-278e7759-8fde-48b2-9865-5109fc72547b"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-2227df38-08b9-4fca-9a76-3ab557d9ed00"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-334a9473-ca52-4a7b-935c-db28407edef9"/> <cybox:Observable idref="mandiant:observable-c2fbc8d4-abb7-426e-8439-f36516abb11b"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-b3fb95f1-5bc6-4901-ba6a-6300084d0c88"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-e4c0642f-5384-49e7-b726-9b7b93b1d046"/> <cybox:Observable id="mandiant:observable-b7541e31-a0d5-4744-882e-6ef39c833392"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-d0732571-13ea-47b3-8c72-8b7bfaa7e866"/> <cybox:Observable idref="mandiant:observable-289288d5-7bc7-4d43-9975-716aeca1f42a"/> <cybox:Observable id="mandiant:observable-8342a681-6f7d-49bf-a075-c6a047f4b4bd"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-0b1d861b-8da5-4ba9-83de-5452b69d7ff3"/> <cybox:Observable id="mandiant:observable-bde1512d-0412-42b7-ba82-473a1dee9cbc"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-9c488d78-e35e-44a0-9616-ba8d732b16b5"/> <cybox:Observable idref="mandiant:observable-cb4724b2-7a5a-4431-a98d-7d263c9d44b9"/> <cybox:Observable idref="mandiant:observable-9d5cf402-5631-4390-87ea-971eaab1df1d"/> <cybox:Observable idref="mandiant:observable-1b508cb0-76e5-4abf-8f9d-5fa8b1d43f0e"/> <cybox:Observable idref="mandiant:observable-320e1c11-38df-41f2-9300-26f3841072a0"/> <cybox:Observable idref="mandiant:observable-833c4845-a222-4fd0-8f27-021994a147d0"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="a1f02cbe-7d37-4ff8-bad7-c5f9f7ea63a3" last-modified="2013-02-10T13:00:00"> <short_description>BISCUIT (FAMILY)</short_description> <description>BISCUIT provides attackers with full access to an infected host. BISCUIT capabilities include launching an interactive command shell, enumerating servers on a Windows network, enumerating and manipulating process, and transferring files. BISCUIT communicates using a custom protocol, which is then encrypted using SSL. Once installed BISCUIT will attempt to beacon to its command/control servers approximately every 10 or 30 minutes. It will beacon its primary server first, followed by a secondary server. All communication is encrypted with SSL (OpenSSL 0.9.8i).</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">BISCUIT</link> </links> <definition> <Indicator operator="OR" id="10df11ab-c69e-4f7a-b44b-52b4d3824007"> <IndicatorItem id="2fa0874d-9c46-43d3-8fd9-6a042da17ade" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">70a55fdc712c6e31e013e6b5d412b0d6</Content> </IndicatorItem> <IndicatorItem id="d24ee18d-f0b6-4d83-bc53-05cfe0d9cd3d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1224527e295380dce1ac9953c850ce97</Content> </IndicatorItem> <IndicatorItem id="4e197d86-fb67-4df7-a36e-ff5028eebac3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">15901ddbccc5e9e0579fc5b42f754fe8</Content> </IndicatorItem> <IndicatorItem id="8a7f6dbb-a84c-41bc-b608-346aaa7bb3b2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">62bee50b480f6a6aa427a00464baf376</Content> </IndicatorItem> <IndicatorItem id="8930ade3-1c85-4847-be0d-8427004d612d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c2fa9f567fd34fb14fee6a38b6644ff9</Content> </IndicatorItem> <IndicatorItem id="8fbdbbd0-d7da-4a19-9218-0e058cf8b18f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">eef298d0bc5b8c89f582e48556d77b6a</Content> </IndicatorItem> <IndicatorItem id="d1d1b452-8db5-45d9-9a63-cce3a33426fd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e4a9b8993e55e3d0ba355b13d1f27a2e</Content> </IndicatorItem> <IndicatorItem id="f883131c-f756-466d-b16f-cad183b228ad" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">71173ad2bc7b39342b1bdaadeaaa0d8a</Content> </IndicatorItem> <IndicatorItem id="d4c672d3-88eb-4f22-8553-f8cbb376ced2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7cb055ac3acbf53e07e20b65ec9126a1</Content> </IndicatorItem> <IndicatorItem id="204e7327-0e0c-4cba-a595-f61a7d60e840" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">da383cc098a5ea8fbb87643611e4bfb6</Content> </IndicatorItem> <IndicatorItem id="0558aa4b-6126-4621-bb95-f276c7107745" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3b0829e2e966dae17d4c235893a3ae8a</Content> </IndicatorItem> <IndicatorItem id="cf3e8804-fcd6-4f2b-a4c1-52d2fea7eff2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea34b72cbeb07aaac2398704c3ca6b0f</Content> </IndicatorItem> <IndicatorItem id="5efec108-ba4f-4519-a779-0ea573127fb8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">753ec12f61c2f7c9a5763c9063a16106</Content> </IndicatorItem> <IndicatorItem id="888f495c-08ef-46e7-aa45-05b324071b56" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">da60673b4f2a4660d2734a16a832282f</Content> </IndicatorItem> <IndicatorItem id="76e93ed6-826c-42f8-916a-23de349fb622" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">497f07f54a4c29fe3be1a15f4516e32d</Content> </IndicatorItem> <IndicatorItem id="10d7f76a-5b8c-4fc1-b373-26278d7f530b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">12f25ce81596aeb19e75cc7ef08f3a38</Content> </IndicatorItem> <IndicatorItem id="f6a9ab21-43a3-4eb2-995c-42814a0e6003" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2244c60f4c1dc285c259f3ac5bf88ff8</Content> </IndicatorItem> <IndicatorItem id="b6429584-2467-4f20-9b84-edb96212aab9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">82390e18379710df84d48881a1c1d0ed</Content> </IndicatorItem> <IndicatorItem id="0665b3ac-863a-4886-8b27-aa04223b038b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">78524ba7f66c0ec4a3755e51709db1aa</Content> </IndicatorItem> <IndicatorItem id="c8955f74-70e3-4bb8-9793-22f31ccf307c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">46a86e3c12d5025aa78c7ddf46717c38</Content> </IndicatorItem> <IndicatorItem id="95bdaae1-b151-42b1-99b0-4887617d8288" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5a728cb9ce56763dccb32b5298d0f050</Content> </IndicatorItem> <IndicatorItem id="97651762-c8f4-42fd-9f38-151372a06610" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f2693de8b687c20aca98bfc1c5aa5b38</Content> </IndicatorItem> <IndicatorItem id="d5c24431-7fb7-47d6-9720-67c7dbcab2ba" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5d8129be965fab8115eca34fc84bd7f0</Content> </IndicatorItem> <IndicatorItem id="a119b647-4dd7-4c67-b7e7-4640d164d082" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1fff3f96f53c5bbdd39eb2351f12549d</Content> </IndicatorItem> <IndicatorItem id="c9032003-14c2-4437-a0e8-ab5a54f975f3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">034374db2d35cf9da6558f54cec8a455</Content> </IndicatorItem> <IndicatorItem id="377925c6-0383-4da3-9eed-4ec34576425c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">43b844c35e1a933e9214588be81ce772</Content> </IndicatorItem> <IndicatorItem id="90982168-dcce-4180-905d-9d3f5c462e45" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f0d2ad2002557a86ecc780bf938b6dfd</Content> </IndicatorItem> <IndicatorItem id="87b997f2-0f33-4aeb-8910-c9ba92ec1650" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">acb99e5318f7001298df1aef51a9463e</Content> </IndicatorItem> <IndicatorItem id="60ee0427-74cc-494a-9895-45a320e42d0e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">693f711d8fab66a3efca98a19a733d56</Content> </IndicatorItem> <IndicatorItem id="3656d515-5956-47e2-9221-93156eeb878e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">52cb7fed85bd7ff6797fbc70105a09fe</Content> </IndicatorItem> <IndicatorItem id="a3c9a57e-c858-4e0a-bd20-10e775f20c41" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">268eef019bf65b2987e945afaf29643f</Content> </IndicatorItem> <IndicatorItem id="fabb66bc-d82f-474c-bba6-6e0425b13b73" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2a214ce037f5f6bb01ddc453f0265d92</Content> </IndicatorItem> <IndicatorItem id="cd1c45bc-dff7-4ddc-8642-e2b4b946edc6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7852b941a46e37fe9b332b1be77a6960</Content> </IndicatorItem> <IndicatorItem id="2da2476b-9152-4b4c-bcca-05b5cee9078f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">80bca9f272152280a462f84f1588c0cc</Content> </IndicatorItem> <IndicatorItem id="2a36beb6-03bf-4035-8028-f938f04f9a94" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8c6ece2ade2bfad3171c925baa64af50</Content> </IndicatorItem> <IndicatorItem id="d0a234db-b50f-448d-88cd-e06940043796" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9d8a7970be7826d29732817c0cc84bde</Content> </IndicatorItem> <IndicatorItem id="034ff744-892d-441e-84b5-fe922abed392" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">522d32a505f78f09303e689999a3e461</Content> </IndicatorItem> <IndicatorItem id="a8c463e9-1d78-4d6e-b8c5-5bfb922860ae" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7fc52a32337386d867a952a2c8644353</Content> </IndicatorItem> <IndicatorItem id="44046fc8-7c02-42c6-b26c-b1623eb7b16c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3a3e4bca1197e4abab03340ea97d718d</Content> </IndicatorItem> <IndicatorItem id="53877678-f17e-4da1-9336-698063493cc6" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">nwspagent.dll</Content> </IndicatorItem> <IndicatorItem id="b50152f3-886e-4132-81f2-bceb91b96629" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">nwwwks.dll</Content> </IndicatorItem> <IndicatorItem id="08f7fb65-8884-4b6e-abdc-c09c064d7a3a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">LinSsl.dll</Content> </IndicatorItem> <IndicatorItem id="8d12babf-fa50-4637-af25-e313cfbaee21" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">iprinp.dll</Content> </IndicatorItem> <IndicatorItem id="b7ca6cf3-b21e-4ce5-b66a-5cd57ea4907d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">ipinip.dll</Content> </IndicatorItem> <IndicatorItem id="36787d00-2ec9-45b3-97bc-5a4e66c4d846" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">bdzkt</Content> </IndicatorItem> <IndicatorItem id="8ebe42ec-7c51-4aa7-bb7d-df915a7785d3" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">SLYHKAAY</Content> </IndicatorItem> <IndicatorItem id="8e40bb0e-33f3-410f-abe0-f08398f685d5" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">WYZQLHHH</Content> </IndicatorItem> <IndicatorItem id="a434d782-9384-4a85-8941-099fcdcc3067" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">MSDOS3.0</Content> </IndicatorItem> <IndicatorItem id="6d0cc478-3e68-440a-a6bf-e9b00e9acf85" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\system32\irmonsrv.dll</Content> </IndicatorItem> <IndicatorItem id="e9d45424-4a97-4ca6-a6da-6abdf9d25764" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\system32\wuauserve.dll</Content> </IndicatorItem> <IndicatorItem id="3a44244a-ead8-48f4-8e4a-b5fcadee81bf" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\System32\drivers\own</Content> </IndicatorItem> <IndicatorItem id="28104725-75b2-4abf-8269-4f854514a608" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\temp\ctfmon.exe\svchost.exe</Content> </IndicatorItem> <IndicatorItem id="e0da4965-b6c6-4afe-a6f6-eede4fc3177d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">SvcHost.DLL.log</Content> </IndicatorItem> <IndicatorItem id="294bb491-f96f-4bab-a8b5-c26f65d2acb7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Sections/Section/Name" type="mir"/> <Content type="string">.upx</Content> </IndicatorItem> <IndicatorItem id="f836ade2-a72e-4b30-8c56-cb95d341c828" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Sections/Section/Name" type="mir"/> <Content type="string">.newIID</Content> </IndicatorItem> <IndicatorItem id="92c6e3af-79e1-42dc-a02e-4505e1d6e459" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">\Software\Microsoft\Windows\CurrentVersion\Run\AVPSVC</Content> </IndicatorItem> <IndicatorItem id="6c09d8f4-fae6-41e6-892e-e0bc785d5cc6" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">\Software\Microsoft\Windows\CurrentVersion\Run\McUpdate</Content> </IndicatorItem> <Indicator operator="AND" id="1267b5c9-1ad8-4fb6-b6b8-86a0b8ab72ca"> <Indicator operator="OR" id="92bdc4b1-584a-46db-9c72-534ab9036894"> <IndicatorItem id="037dfc3e-7d9d-4630-90a5-dee0c18f407f" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">iprinp.dll</Content> </IndicatorItem> <IndicatorItem id="34bde6bc-b8b0-496a-801e-40ed15bee252" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">regsvr.exe</Content> </IndicatorItem> <IndicatorItem id="c16e08f5-98b9-42de-8001-d386041c368e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">regsvr1.exe</Content> </IndicatorItem> <IndicatorItem id="18f232ee-cd67-47e1-9a2e-fdd3298233c3" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <IndicatorItem id="71df27ee-4eda-4afc-8409-ec4c58da3473" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">client.exe</Content> </IndicatorItem> <IndicatorItem id="ad64b6cf-4af2-4f3d-a2e0-2fe3e6b30cdc" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">nwwwks.dll</Content> </IndicatorItem> <IndicatorItem id="fc106d4b-f060-46f5-80c8-ce8033193fdd" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">winssleep.exe</Content> </IndicatorItem> <IndicatorItem id="cde6ab63-addc-4103-a889-b56c4524b701" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ipinip.dll</Content> </IndicatorItem> <IndicatorItem id="4016c737-ebe6-4aa0-a739-7c46f0af893e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svhost.exe</Content> </IndicatorItem> <IndicatorItem id="5c550ff6-3986-48cf-a2d5-fcfd41f20b0a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">linssl.dll</Content> </IndicatorItem> <IndicatorItem id="f454c870-cb2e-4a9e-b31d-0f9d068aca31" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">iprinp32.dll</Content> </IndicatorItem> <IndicatorItem id="7f4075e2-7dac-4b0e-a276-7eb14c70d765" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Nwspagent.dll</Content> </IndicatorItem> <IndicatorItem id="bd302583-bcf1-4e69-9e8e-f0c973a53cea" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">avpsvc.exe</Content> </IndicatorItem> <IndicatorItem id="02e5a04d-e5ef-48a8-b455-c6c1c325925c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">CSVCHST.exe</Content> </IndicatorItem> <IndicatorItem id="6f87cd10-39d3-413b-b3ca-52ba7a124f49" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Sender.exe</Content> </IndicatorItem> <IndicatorItem id="28924f62-5441-4632-97d2-5d35a4213976" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">lingyun.exe</Content> </IndicatorItem> <IndicatorItem id="c14a804e-cf50-41bf-88c4-550a25a2103b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">regsvc.exe</Content> </IndicatorItem> <IndicatorItem id="99013664-03ee-41a3-a38a-ef120f81cb58" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">nwwwks-2.dll</Content> </IndicatorItem> <IndicatorItem id="44055711-fe03-48b4-b8d2-50be225edad8" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 87% samples.</Comment> </IndicatorItem> <IndicatorItem id="54a85d32-a165-449f-8b6b-f8203a69b954" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 33% samples.</Comment> </IndicatorItem> <IndicatorItem id="77d26675-49f2-4cde-8991-460e2da658eb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">incorrect_image_size</Content> <Comment>PE Header Anomaly identified in 5% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="61cc97ad-3c83-4659-adba-589f6a1ad052"> <IndicatorItem id="36b204ba-de10-486c-98b6-288c0c2ac6d8" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">17306</Content> </IndicatorItem> <IndicatorItem id="90242cd9-546d-4966-bdaa-d4467018c25a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">311296</Content> </IndicatorItem> <IndicatorItem id="7d8fceb3-7717-41bb-bdc1-61a29d0028ba" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">33280</Content> </IndicatorItem> <IndicatorItem id="50de64c1-250c-45f0-a66d-a03be1e88a1f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">34304</Content> </IndicatorItem> <IndicatorItem id="8d335f68-cdf6-4aac-aaa4-7aab25cc0fea" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">35328</Content> </IndicatorItem> <IndicatorItem id="29ce9cb1-3829-47f0-b933-6fea33cb61b0" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">37376</Content> </IndicatorItem> <IndicatorItem id="5af465c1-ee05-441c-8b4f-687a13c442d9" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">37888</Content> </IndicatorItem> <IndicatorItem id="2fc67e5b-4b1d-4135-919d-3c15aac0b494" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">39424</Content> </IndicatorItem> <IndicatorItem id="1e5a489d-61ff-4079-aaf2-7dc8fa96d977" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">40654</Content> </IndicatorItem> <IndicatorItem id="f511fe11-750f-40cf-bb04-348e3a465d49" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">41472</Content> </IndicatorItem> <IndicatorItem id="4c0947d0-3f60-4c95-a587-580bce510b1b" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">41984</Content> </IndicatorItem> <IndicatorItem id="b81acf6e-417c-44f2-ab24-da18c03965ae" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">514048</Content> </IndicatorItem> <IndicatorItem id="bc69843a-17ac-42de-82bb-1a15123dc1a2" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">519572</Content> </IndicatorItem> <IndicatorItem id="fc2df9d6-0533-4850-8421-310d6c90813f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">570880</Content> </IndicatorItem> <IndicatorItem id="97c2473e-edac-49f7-b5f2-4b98bb62e1a9" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">571904</Content> </IndicatorItem> <IndicatorItem id="f3f6a93d-912f-450a-a3d2-1e92a03b64b5" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">573952</Content> </IndicatorItem> <IndicatorItem id="8aad2a97-39dc-4f48-841f-3cd77cb86cc8" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">574464</Content> </IndicatorItem> <IndicatorItem id="3f9eb2e3-e31c-451f-9dc0-555d76dbf4b4" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">594944</Content> </IndicatorItem> <IndicatorItem id="ea4ed5d7-ae07-43eb-b5b3-205cde14f99f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">608256</Content> </IndicatorItem> <IndicatorItem id="8ecebf97-b3fa-4aa7-aeb9-c811031aaf9c" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">622592</Content> </IndicatorItem> <IndicatorItem id="c0f94cf2-ac62-4ad2-9c92-7d3423524757" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">623104</Content> </IndicatorItem> <IndicatorItem id="e4bef386-82c5-42f1-841f-2416583b10c8" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">627699</Content> </IndicatorItem> <IndicatorItem id="6165ef6f-3e35-4930-9b09-da0bb501cc96" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">627969</Content> </IndicatorItem> <IndicatorItem id="c1b8d482-5742-41ad-96a5-6cc84d9e2c37" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">628522</Content> </IndicatorItem> <IndicatorItem id="ddb29c02-9846-49a6-9593-a47847be732d" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">634880</Content> </IndicatorItem> <IndicatorItem id="12ea288b-3707-4d7c-8eb6-050b0af38b6e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">638976</Content> </IndicatorItem> <IndicatorItem id="0f2ab503-9e54-4ac2-ac20-fc1118088afd" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">663552</Content> </IndicatorItem> <IndicatorItem id="49d7c7ee-c519-4d9a-92e4-d6e7a129229b" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">696832</Content> </IndicatorItem> <IndicatorItem id="90ecc391-05ed-4eb4-8ad4-5a6303060a6f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">89088</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="e3bf90e4-eb4a-4683-a817-9c2a917f4655"> <IndicatorItem id="711ea5c1-93fd-44d6-bdfb-0de824ff4a09" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-06-19T01:44:41Z</Content> </IndicatorItem> <IndicatorItem id="638f1639-79f0-40a6-acff-f8abbfb615e2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-06-19T01:49:12Z</Content> </IndicatorItem> <IndicatorItem id="21f15ae5-0e27-4634-9dd4-fdcab5b00301" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-08-08T03:16:50Z</Content> </IndicatorItem> <IndicatorItem id="3c443832-797d-44c2-a62f-d56b41c3431f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-10-18T01:53:40Z</Content> </IndicatorItem> <IndicatorItem id="30100aff-c0e3-4818-b46e-6787327f8a1a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-11-09T14:09:05Z</Content> </IndicatorItem> <IndicatorItem id="bcb220a3-50f9-43ec-a55c-a52f90e1c779" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-05-08T14:55:45Z</Content> </IndicatorItem> <IndicatorItem id="500257fb-af21-4981-985f-ebccdfb6641a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-08-19T09:57:41Z</Content> </IndicatorItem> <IndicatorItem id="87e53cc0-7898-45ab-a5e5-bd42567053dc" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-09-16T09:20:31Z</Content> </IndicatorItem> <IndicatorItem id="d7e24af2-a583-408f-ad48-0c14e6e4f360" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-10-22T00:12:21Z</Content> </IndicatorItem> <IndicatorItem id="1b530efc-85d9-49cf-8d72-17860dcb49fe" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-10-24T07:49:13Z</Content> </IndicatorItem> <IndicatorItem id="2731fa87-36a1-432c-a408-6484a5e593f8" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-10-27T13:48:37Z</Content> </IndicatorItem> <IndicatorItem id="ba4f0587-bf1e-4830-99e8-9efe07904d07" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-12-17T07:19:05Z</Content> </IndicatorItem> <IndicatorItem id="a6c97c28-a44f-4b46-9537-7c433c670244" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-01-07T08:09:33Z</Content> </IndicatorItem> <IndicatorItem id="a3bf514e-f634-4531-b9e0-6de1b3d0c4d8" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-02-13T02:54:17Z</Content> </IndicatorItem> <IndicatorItem id="1a433fc4-39d6-4f4f-8dac-6d83f3f9f685" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-03-17T00:16:47Z</Content> </IndicatorItem> <IndicatorItem id="6318dd4f-b1d4-4022-9ea0-93d3b561744a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-03-17T13:21:25Z</Content> </IndicatorItem> <IndicatorItem id="98a89637-0403-4967-babf-e31546ba39fa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-03-20T02:52:43Z</Content> </IndicatorItem> <IndicatorItem id="129fff37-b218-48df-820b-aebb325f2611" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-05-06T15:01:12Z</Content> </IndicatorItem> <IndicatorItem id="0a073e04-6778-40f3-bfae-ed3eb8b46ed1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-05-18T14:52:39Z</Content> </IndicatorItem> <IndicatorItem id="4d677650-5373-4fa2-8d77-bd5fca86dc38" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-05-20T13:12:38Z</Content> </IndicatorItem> <IndicatorItem id="24f4b96e-46bf-43ae-9cb5-c25ac6fc36f9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-06-02T12:20:52Z</Content> </IndicatorItem> <IndicatorItem id="ada070dc-7615-47ab-bac5-a8becc87b4fc" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-06-08T10:17:38Z</Content> </IndicatorItem> <IndicatorItem id="2ee86912-e2e9-4a0a-bb54-0b19fa74418c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-06-08T13:06:51Z</Content> </IndicatorItem> <IndicatorItem id="c9eed4ec-2ebe-4bd5-9150-76f7d6cf0e8f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-23T07:21:19Z</Content> </IndicatorItem> <IndicatorItem id="e8919344-fd16-4c39-9811-563e77359924" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-23T07:36:19Z</Content> </IndicatorItem> <IndicatorItem id="6c97d939-b699-46c9-af68-cd3a9d26eb24" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-29T14:12:53Z</Content> </IndicatorItem> <IndicatorItem id="6dc1a5c1-cda9-47fc-9fe7-11e3433f3682" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-29T14:34:24Z</Content> </IndicatorItem> <IndicatorItem id="7bc24894-a4ea-430f-aac5-12f4b4afa84a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-30T08:58:55Z</Content> </IndicatorItem> <IndicatorItem id="d191f9cc-8cfb-4761-aeca-3fed66493e27" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-30T14:04:14Z</Content> </IndicatorItem> <IndicatorItem id="449b69ae-9af5-4614-8071-74751ee11b1d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-08-24T13:16:23Z</Content> </IndicatorItem> <IndicatorItem id="ae5377a9-14c1-413f-8fa2-006ac9a060b0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-12-02T09:25:25Z</Content> </IndicatorItem> <IndicatorItem id="3ddc54ff-0a4d-4a6d-8bb9-cc0aaf1b8200" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-05-20T03:51:53Z</Content> </IndicatorItem> <IndicatorItem id="a0a53167-d29a-448a-9316-61c056c2b7c9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-31T08:38:59Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="23071edc-e5c9-4127-8de5-7b58f8c25496"> <IndicatorItem id="9059fdf6-0e03-413b-b0a4-3bb1c38194f7" condition="isnot"> <Context document="FileItem" search="FileItem/PEInfo/Type" type="mir"/> <Content type="string">Executable</Content> </IndicatorItem> <IndicatorItem id="2ab4f3c0-70fe-406d-9eff-bc9a2274042f" condition="isnot"> <Context document="FileItem" search="FileItem/PEInfo/Type" type="mir"/> <Content type="string">DLL</Content> </IndicatorItem> <Indicator operator="OR" id="f95a9be5-4e29-4681-aa4a-80bce489ce1d"> <IndicatorItem id="09e43b8e-cfb8-43ad-9f3e-1619a113ee70" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">skeys.dll</Content> </IndicatorItem> <IndicatorItem id="278e7759-8fde-48b2-9865-5109fc72547b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">rdisk.dll</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="2227df38-08b9-4fca-9a76-3ab557d9ed00"> <IndicatorItem id="334a9473-ca52-4a7b-935c-db28407edef9" condition="is"> <Context document="ServiceItem" search="ServiceItem/name" type="mir"/> <Content type="string">RIP Listener</Content> </IndicatorItem> <IndicatorItem id="c2fbc8d4-abb7-426e-8439-f36516abb11b" condition="is"> <Context document="ServiceItem" search="ServiceItem/description" type="mir"/> <Content type="string">Provides access to file and print resources on Netware networks</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="b3fb95f1-5bc6-4901-ba6a-6300084d0c88"> <IndicatorItem id="e4c0642f-5384-49e7-b726-9b7b93b1d046" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">\System\CurrentControlSet\Services\</Content> </IndicatorItem> <Indicator operator="OR" id="b7541e31-a0d5-4744-882e-6ef39c833392"> <IndicatorItem id="d0732571-13ea-47b3-8c72-8b7bfaa7e866" condition="is"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">RIP Listener</Content> </IndicatorItem> <IndicatorItem id="289288d5-7bc7-4d43-9975-716aeca1f42a" condition="is"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">Provides access to file and print resources on Netware networks</Content> </IndicatorItem> <Indicator operator="AND" id="8342a681-6f7d-49bf-a075-c6a047f4b4bd"> <IndicatorItem id="0b1d861b-8da5-4ba9-83de-5452b69d7ff3" condition="is"> <Context document="RegistryItem" search="RegistryItem/ValueName" type="mir"/> <Content type="string">ServiceDLL</Content> </IndicatorItem> <Indicator operator="OR" id="bde1512d-0412-42b7-ba82-473a1dee9cbc"> <IndicatorItem id="9c488d78-e35e-44a0-9616-ba8d732b16b5" condition="is"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">iprinp.dll</Content> </IndicatorItem> <IndicatorItem id="cb4724b2-7a5a-4431-a98d-7d263c9d44b9" condition="is"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">nwwwks.dll</Content> </IndicatorItem> <IndicatorItem id="9d5cf402-5631-4390-87ea-971eaab1df1d" condition="is"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">nwspagent.dll</Content> </IndicatorItem> <IndicatorItem id="1b508cb0-76e5-4abf-8f9d-5fa8b1d43f0e" condition="is"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">iprinp32.dll</Content> </IndicatorItem> <IndicatorItem id="320e1c11-38df-41f2-9300-26f3841072a0" condition="is"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">linssl.dll</Content> </IndicatorItem> <IndicatorItem id="833c4845-a222-4fd0-8f27-021994a147d0" condition="is"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">ipinip.dll</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-f97ec627-8a79-484e-b889-de21ed02a4d4"> <indicator:Title>WEBC2-UGX (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware provide remote command shell and remote file download and execution capabilities. The malware downloads a web page containing a crafted HTML comment that subsequently contains an encoded command. The contents of this command tell the malware whether to download and execute a program, launch a reverse shell to a specific host and port number, or to sleep for a period of time. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-09576f11-2a61-4ba4-b028-50915af3ff1f"/> <cybox:Observable idref="mandiant:observable-115348b8-1dd2-47c8-b7c5-e527d1f16290"/> <cybox:Observable idref="mandiant:observable-dabc9e54-b4df-4a27-8d9a-08d88d81ecba"/> <cybox:Observable idref="mandiant:observable-f9485db8-ca16-4b54-a70f-81e48aa8e01e"/> <cybox:Observable idref="mandiant:observable-fbbfe38f-d0e2-485d-b646-50a95ad67e42"/> <cybox:Observable idref="mandiant:observable-b9dc8abb-9158-4977-b086-0f1168f36326"/> <cybox:Observable idref="mandiant:observable-919418e6-81e1-4fe4-b3d4-8387d2994158"/> <cybox:Observable idref="mandiant:observable-bfd57cda-e423-4f87-82d2-dcad4c60a4e1"/> <cybox:Observable idref="mandiant:observable-2f1fa842-f779-4fa9-b56b-26ba8607dbdb"/> <cybox:Observable idref="mandiant:observable-be2960e4-3574-43dd-95ba-3cb4513152ea"/> <cybox:Observable idref="mandiant:observable-6401f7da-2c4d-4b72-828d-b69a295581f1"/> <cybox:Observable id="mandiant:observable-e988e9e9-dc1e-410e-a2f0-eb780672649e"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-0522c806-9232-4045-b6fe-5716bccaa832"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-392ba790-2c1e-4acd-86db-7e1246788195"/> <cybox:Observable idref="mandiant:observable-f8bc290b-0168-4d53-afe5-02bcfc8a3f82"/> <cybox:Observable idref="mandiant:observable-ae2d031d-f8f4-4be1-95eb-dde6c523716a"/> <cybox:Observable idref="mandiant:observable-e1ca34f2-6f66-4a8e-ae99-b231aea90ac7"/> <cybox:Observable idref="mandiant:observable-416c4674-b9f7-40a1-96b2-dc688e28eca4"/> <cybox:Observable idref="mandiant:observable-615cf836-6147-40de-b0b9-10dab8393ed9"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-3f136b50-a274-4ec5-84ff-b89d02b04d36"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-64868346-be1b-4343-ab0a-60a6579ae58e"/> <cybox:Observable idref="mandiant:observable-466e6f8e-dcc9-43e8-b1fa-1eb6b509923c"/> <cybox:Observable idref="mandiant:observable-32100cf1-610b-461f-b9c4-ff24bdc9f023"/> <cybox:Observable idref="mandiant:observable-6ce23dff-9674-463b-a3ca-24627166ec3d"/> <cybox:Observable idref="mandiant:observable-eb9c7619-beb5-4323-8380-dc71c80788ca"/> <cybox:Observable idref="mandiant:observable-e9c54005-c94a-4863-b6ff-8195d62237d8"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-0d4a7d56-0008-42c3-b726-9702674535a8"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-0d4e7c5d-31b5-4741-98aa-f5b43ae77c2c"/> <cybox:Observable idref="mandiant:observable-a53c2636-8a86-4edb-9038-ded5af8c9da2"/> <cybox:Observable idref="mandiant:observable-c25d74ab-cd2c-4dc2-b66e-320bfb658c5e"/> <cybox:Observable idref="mandiant:observable-be83cacb-1875-461f-8c9d-5c54b35a8e95"/> <cybox:Observable idref="mandiant:observable-ae13d20a-fa0f-42cb-92cf-4a6145d6b8d1"/> <cybox:Observable idref="mandiant:observable-d249a870-df60-4c2d-8c88-5eca53ad3afa"/> <cybox:Observable idref="mandiant:observable-611abf4e-9345-4f81-a17e-9b37fa80df41"/> <cybox:Observable idref="mandiant:observable-1fdbe819-1261-40f5-af34-f3891ee08f74"/> <cybox:Observable idref="mandiant:observable-a1a9931d-9305-4154-9863-174cdedb89d4"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-ff265e40-8a75-4c15-9c0e-ea603f58e14c"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-8cc88d4a-c3a4-493c-9ccb-a287f1ffd336"/> <cybox:Observable id="mandiant:observable-7cab174d-6a75-4dda-87d8-83c56dd1932e"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-b3352aec-e4f9-4c70-9eab-2881bd91bbd2"/> <cybox:Observable idref="mandiant:observable-efa96288-2925-4365-b9c4-9288c4b914e3"/> <cybox:Observable idref="mandiant:observable-d9cc65c8-8dd2-4713-b6b7-ce3f805ee413"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="a461f381-8612-4ce1-a0dc-68bcaca028d0" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-UGX (FAMILY)</short_description> <description>A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware provide remote command shell and remote file download and execution capabilities. The malware downloads a web page containing a crafted HTML comment that subsequently contains an encoded command. The contents of this command tell the malware whether to download and execute a program, launch a reverse shell to a specific host and port number, or to sleep for a period of time. </description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">WEBC2-UGX</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="f97ec627-8a79-484e-b889-de21ed02a4d4"> <IndicatorItem id="09576f11-2a61-4ba4-b028-50915af3ff1f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8412a3e37499f8289faf54546824ab61</Content> </IndicatorItem> <IndicatorItem id="115348b8-1dd2-47c8-b7c5-e527d1f16290" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">56de2854ef64d869b5df7af5e4effe3e</Content> </IndicatorItem> <IndicatorItem id="dabc9e54-b4df-4a27-8d9a-08d88d81ecba" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9e30b1665077b7e65bc8ff1e7c752306</Content> </IndicatorItem> <IndicatorItem id="f9485db8-ca16-4b54-a70f-81e48aa8e01e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">106338ad223b84fbc2528a55e3e22302</Content> </IndicatorItem> <IndicatorItem id="fbbfe38f-d0e2-485d-b646-50a95ad67e42" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8462a62f13f92c34e4b89a7d13a185ad</Content> </IndicatorItem> <IndicatorItem id="b9dc8abb-9158-4977-b086-0f1168f36326" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">15d1330be5e27f6f51d011b0575ffa05</Content> </IndicatorItem> <IndicatorItem id="919418e6-81e1-4fe4-b3d4-8387d2994158" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">75dad1ccabae8adeb5bae899d0c630f8</Content> </IndicatorItem> <IndicatorItem id="bfd57cda-e423-4f87-82d2-dcad4c60a4e1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4b19a2a6d40a5825e868c6ef25ae445e</Content> </IndicatorItem> <IndicatorItem id="2f1fa842-f779-4fa9-b56b-26ba8607dbdb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">54d5d171a482278cc8eacf08d9175fd7</Content> </IndicatorItem> <IndicatorItem id="be2960e4-3574-43dd-95ba-3cb4513152ea" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">36a7c3a6460c98e161e1005c925da0b2</Content> </IndicatorItem> <IndicatorItem id="6401f7da-2c4d-4b72-828d-b69a295581f1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0fbdc6e3f79063a4773d4872fa1f15d1</Content> </IndicatorItem> <Indicator operator="AND" id="e988e9e9-dc1e-410e-a2f0-eb780672649e"> <Indicator operator="OR" id="0522c806-9232-4045-b6fe-5716bccaa832"> <IndicatorItem id="392ba790-2c1e-4acd-86db-7e1246788195" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">acrod32.exe</Content> </IndicatorItem> <IndicatorItem id="f8bc290b-0168-4d53-afe5-02bcfc8a3f82" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">adobearm.exe</Content> </IndicatorItem> <IndicatorItem id="ae2d031d-f8f4-4be1-95eb-dde6c523716a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">winword.exe</Content> </IndicatorItem> <IndicatorItem id="e1ca34f2-6f66-4a8e-ae99-b231aea90ac7" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">defwatch.exe</Content> </IndicatorItem> <IndicatorItem id="416c4674-b9f7-40a1-96b2-dc688e28eca4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <IndicatorItem id="615cf836-6147-40de-b0b9-10dab8393ed9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 91% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="3f136b50-a274-4ec5-84ff-b89d02b04d36"> <IndicatorItem id="64868346-be1b-4343-ab0a-60a6579ae58e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">18142</Content> </IndicatorItem> <IndicatorItem id="466e6f8e-dcc9-43e8-b1fa-1eb6b509923c" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">20313</Content> </IndicatorItem> <IndicatorItem id="32100cf1-610b-461f-b9c4-ff24bdc9f023" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">20314</Content> </IndicatorItem> <IndicatorItem id="6ce23dff-9674-463b-a3ca-24627166ec3d" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">34138</Content> </IndicatorItem> <IndicatorItem id="eb9c7619-beb5-4323-8380-dc71c80788ca" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">81754</Content> </IndicatorItem> <IndicatorItem id="e9c54005-c94a-4863-b6ff-8195d62237d8" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">85574</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="0d4a7d56-0008-42c3-b726-9702674535a8"> <IndicatorItem id="0d4e7c5d-31b5-4741-98aa-f5b43ae77c2c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-09-17T09:21:03Z</Content> </IndicatorItem> <IndicatorItem id="a53c2636-8a86-4edb-9038-ded5af8c9da2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-03-06T14:10:18Z</Content> </IndicatorItem> <IndicatorItem id="c25d74ab-cd2c-4dc2-b66e-320bfb658c5e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-06-11T09:35:04Z</Content> </IndicatorItem> <IndicatorItem id="be83cacb-1875-461f-8c9d-5c54b35a8e95" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-03-15T12:47:10Z</Content> </IndicatorItem> <IndicatorItem id="ae13d20a-fa0f-42cb-92cf-4a6145d6b8d1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-06-25T09:26:47Z</Content> </IndicatorItem> <IndicatorItem id="d249a870-df60-4c2d-8c88-5eca53ad3afa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-29T08:40:16Z</Content> </IndicatorItem> <IndicatorItem id="611abf4e-9345-4f81-a17e-9b37fa80df41" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-09-06T12:37:01Z</Content> </IndicatorItem> <IndicatorItem id="1fdbe819-1261-40f5-af34-f3891ee08f74" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-09-20T01:17:47Z</Content> </IndicatorItem> <IndicatorItem id="a1a9931d-9305-4154-9863-174cdedb89d4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-01-20T03:14:28Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="ff265e40-8a75-4c15-9c0e-ea603f58e14c"> <IndicatorItem id="8cc88d4a-c3a4-493c-9ccb-a287f1ffd336" condition="contains"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir"/> <Content type="string">Mutant</Content> <Comment>Mutexes created by different variants of this family</Comment> </IndicatorItem> <Indicator operator="OR" id="7cab174d-6a75-4dda-87d8-83c56dd1932e"> <IndicatorItem id="b3352aec-e4f9-4c70-9eab-2881bd91bbd2" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">BaseNamedObjects\Sm</Content> </IndicatorItem> <IndicatorItem id="efa96288-2925-4365-b9c4-9288c4b914e3" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">1qasw2</Content> </IndicatorItem> <IndicatorItem id="d9cc65c8-8dd2-4713-b6b7-ce3f805ee413" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">ijnrfv</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-ee797e93-f583-4d6d-9523-11c47d2f1db9"> <indicator:Title>GETMAIL (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Utility</indicator:Type> <indicator:Description> Members of this family of malware are utilities designed to extract email messages and attachments from Outlook PST files. One part of this utility set is an executable, one is a dll. The malware may create a registry artifact related to the executable. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-d18237fc-66cf-4c1e-8e1b-070c973838fb"/> <cybox:Observable idref="mandiant:observable-5c9de010-6064-4f37-a6b8-772c322c987b"/> <cybox:Observable idref="mandiant:observable-6309924e-05d3-4b7a-aed7-07f7bcda7d46"/> <cybox:Observable idref="mandiant:observable-0054b13f-d945-436e-9215-edc85b8c68bf"/> <cybox:Observable id="mandiant:observable-682c6e73-2de4-4234-9439-e4523dc7187f"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-60ed73ff-67b8-41f0-af6d-9ed5d2c7a3dc"/> <cybox:Observable id="mandiant:observable-3fc38377-f777-4ca0-9a8e-d884de5a0444"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-0d62048d-f30a-468e-a1b7-ccbbd5b9deda"/> <cybox:Observable idref="mandiant:observable-a902acc1-c1df-4135-bd12-fdfa4e287208"/> <cybox:Observable idref="mandiant:observable-3c4f6ff1-6624-4b39-bb17-112982236598"/> <cybox:Observable idref="mandiant:observable-028ce6fc-3fa5-4a27-bbca-07cdde3898de"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-8d33a6b9-ae90-4686-a887-db7b81a0b71b"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-52f12703-05dd-4d91-ad8b-687cf5e86d19"/> <cybox:Observable idref="mandiant:observable-6b4ed60a-1213-4984-8127-e23d060e56e0"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-23bf44dc-e7be-4e70-8dbf-94472dfbe7c4"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-3122a156-227e-4058-9159-0e809b4ecc68"/> <cybox:Observable idref="mandiant:observable-a70f64a7-ab3e-44f8-b3e6-d0517139f18c"/> <cybox:Observable id="mandiant:observable-fbafd2d8-15bd-4669-9749-c84ff52547ca"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-f3ab20d6-720c-4851-975c-608cf88ba861"/> <cybox:Observable idref="mandiant:observable-a3141d62-465c-47ab-a779-4b5d86ad363d"/> <cybox:Observable idref="mandiant:observable-a104a0e0-ac7c-45a5-aab2-8047ef9e2a12"/> <cybox:Observable idref="mandiant:observable-19f59c70-6176-45d9-ad53-767b0280ef66"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-c3a1efc3-0f58-4170-8784-3e11fa96db66"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-dc124fa9-95c5-4b57-b8e7-9f760a866821"/> <cybox:Observable idref="mandiant:observable-828286b6-7a00-4f91-8dc3-12ec0ef75c46"/> <cybox:Observable id="mandiant:observable-325f5eab-ec42-40bf-9c54-19acd59e6e82"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-3f47f982-2feb-4bff-8084-a27ae9be2332"/> <cybox:Observable idref="mandiant:observable-78d7f05a-c0f8-4c82-a254-fc9204d4d852"/> <cybox:Observable idref="mandiant:observable-92736fad-0584-4d5a-83aa-5a44a832802f"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-e980872f-9cbd-4b48-b12e-3907802e3e1f"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-148e4d5e-e213-44c4-9c5c-69bbe81cac77"/> <cybox:Observable idref="mandiant:observable-b13d3ec0-de0d-45ff-8e86-dcee2de09053"/> <cybox:Observable idref="mandiant:observable-62ad77d0-740d-4194-8b7d-6e111bbb3b99"/> <cybox:Observable idref="mandiant:observable-fe8a59d7-daf4-406b-9bef-6735886f3e76"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="a486d837-9f05-4360-908e-b4244c24723d" last-modified="2013-02-10T13:00:00"> <short_description>GETMAIL (FAMILY)</short_description> <description>Members of this family of malware are utilities designed to extract email messages and attachments from Outlook PST files. One part of this utility set is an executable, one is a dll. The malware may create a registry artifact related to the executable.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">GETMAIL</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Utility</link> </links> <definition> <Indicator operator="OR" id="ee797e93-f583-4d6d-9523-11c47d2f1db9"> <IndicatorItem id="d18237fc-66cf-4c1e-8e1b-070c973838fb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e81db0198d2a63c4ccfc33f58fcb821e</Content> </IndicatorItem> <IndicatorItem id="5c9de010-6064-4f37-a6b8-772c322c987b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">909bef6db8d33854e983ebccdd71419f</Content> </IndicatorItem> <IndicatorItem id="6309924e-05d3-4b7a-aed7-07f7bcda7d46" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">36ca55556280f715e2de8b4b997a26c9</Content> </IndicatorItem> <IndicatorItem id="0054b13f-d945-436e-9215-edc85b8c68bf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e212aaf642d73a2e4a885f12eea86c58</Content> </IndicatorItem> <Indicator operator="AND" id="682c6e73-2de4-4234-9439-e4523dc7187f"> <IndicatorItem id="60ed73ff-67b8-41f0-af6d-9ed5d2c7a3dc" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">86016</Content> </IndicatorItem> <Indicator operator="OR" id="3fc38377-f777-4ca0-9a8e-d884de5a0444"> <IndicatorItem id="0d62048d-f30a-468e-a1b7-ccbbd5b9deda" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">getmail.exe</Content> </IndicatorItem> <IndicatorItem id="a902acc1-c1df-4135-bd12-fdfa4e287208" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">gm.exe</Content> </IndicatorItem> <IndicatorItem id="3c4f6ff1-6624-4b39-bb17-112982236598" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">winps.exe</Content> </IndicatorItem> <IndicatorItem id="028ce6fc-3fa5-4a27-bbca-07cdde3898de" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="8d33a6b9-ae90-4686-a887-db7b81a0b71b"> <IndicatorItem id="52f12703-05dd-4d91-ad8b-687cf5e86d19" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2005-01-05T01:38:18Z</Content> </IndicatorItem> <IndicatorItem id="6b4ed60a-1213-4984-8127-e23d060e56e0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2005-08-18T09:17:08Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="23bf44dc-e7be-4e70-8dbf-94472dfbe7c4"> <IndicatorItem id="3122a156-227e-4058-9159-0e809b4ecc68" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">53248</Content> </IndicatorItem> <IndicatorItem id="a70f64a7-ab3e-44f8-b3e6-d0517139f18c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2005-01-05T01:38:19Z</Content> </IndicatorItem> <Indicator operator="OR" id="fbafd2d8-15bd-4669-9749-c84ff52547ca"> <IndicatorItem id="f3ab20d6-720c-4851-975c-608cf88ba861" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">getmail.dll</Content> </IndicatorItem> <IndicatorItem id="a3141d62-465c-47ab-a779-4b5d86ad363d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">gm.dll</Content> </IndicatorItem> <IndicatorItem id="a104a0e0-ac7c-45a5-aab2-8047ef9e2a12" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">winps.dll</Content> </IndicatorItem> <IndicatorItem id="19f59c70-6176-45d9-ad53-767b0280ef66" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="c3a1efc3-0f58-4170-8784-3e11fa96db66"> <IndicatorItem id="dc124fa9-95c5-4b57-b8e7-9f760a866821" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">SOFTWARE\Microsoft\Windows Messaging Subsystem\MSMapiApps</Content> <Comment>registry artifacts that may be created by this malware</Comment> </IndicatorItem> <IndicatorItem id="828286b6-7a00-4f91-8dc3-12ec0ef75c46" condition="is"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">Microsoft Outlook</Content> <Comment>registry artifacts that may be created by this malware</Comment> </IndicatorItem> <Indicator operator="OR" id="325f5eab-ec42-40bf-9c54-19acd59e6e82"> <IndicatorItem id="3f47f982-2feb-4bff-8084-a27ae9be2332" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">winps.exe</Content> <Comment>registry artifacts that may be created by this malware</Comment> </IndicatorItem> <IndicatorItem id="78d7f05a-c0f8-4c82-a254-fc9204d4d852" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">getmail.exe</Content> <Comment>registry artifacts that may be created by this malware</Comment> </IndicatorItem> <IndicatorItem id="92736fad-0584-4d5a-83aa-5a44a832802f" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">gm.exe</Content> <Comment>registry artifacts that may be created by this malware</Comment> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="e980872f-9cbd-4b48-b12e-3907802e3e1f"> <IndicatorItem id="148e4d5e-e213-44c4-9c5c-69bbe81cac77" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">getmail.dll</Content> <Comment>artifact block that desribes functions of the DLL used by this family</Comment> </IndicatorItem> <IndicatorItem id="b13d3ec0-de0d-45ff-8e86-dcee2de09053" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">docompress</Content> </IndicatorItem> <IndicatorItem id="62ad77d0-740d-4194-8b7d-6e111bbb3b99" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">doencrypt</Content> </IndicatorItem> <IndicatorItem id="fe8a59d7-daf4-406b-9bef-6735886f3e76" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">2</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-d2ed1adc-26c9-48f8-881d-19dea55e0f5a"> <indicator:Title>WEBC2-DIV (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Downloader</indicator:Type> <indicator:Description> The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-DIV variant searches for the strings "div safe:" and " balance" to delimit encoded C2 information. If the decoded string begins with the letter "J" the malware will parse additional arguments in the decoded string to specify the sleep interval to use. WEBC2-DIV is capable of downloading a file, downloading and executing a file, or sleeping a specified interval. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-7e9843f5-7b07-4f36-98d5-0db35273c3ed"/> <cybox:Observable idref="mandiant:observable-25984cb3-718e-4e36-86a6-d5717e292c42"/> <cybox:Observable idref="mandiant:observable-af6ba778-2a08-479c-b160-64165af07044"/> <cybox:Observable idref="mandiant:observable-5ec8c197-fbf9-43aa-9cd8-b911e5114b8a"/> <cybox:Observable idref="mandiant:observable-71b2195c-d115-47e9-aea7-bc8b0593f923"/> <cybox:Observable id="mandiant:observable-925de763-953a-4117-bc2c-8ac3d1e2f6ef"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-44669ba0-15b3-410a-b6ce-6f103478776c"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-d2eaaca8-8910-43f6-af9e-a8996cf1d7f0"/> <cybox:Observable idref="mandiant:observable-4274254b-82bf-42c4-933b-6b6344d69097"/> <cybox:Observable idref="mandiant:observable-d282426a-3dd3-4564-8f57-c712a26c7555"/> <cybox:Observable idref="mandiant:observable-d5e42909-d002-431a-82bf-bf614b3af020"/> <cybox:Observable idref="mandiant:observable-1dc7c88c-5d5a-4ed9-a850-18b599a77e3c"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-b8bae77a-6c72-41cd-b66e-514aea61b071"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-ca4bdbe4-eb7f-427f-865f-25da34fdd4d3"/> <cybox:Observable idref="mandiant:observable-a48a6229-e93d-4926-b6c1-7d01e3c8214c"/> <cybox:Observable idref="mandiant:observable-bf34594f-fa9c-4df5-82fb-bb526c7cde69"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-361c8757-4419-4561-b7d6-4f5f40e7ed3e"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-9b3fd816-796b-44c5-b31b-ac3f6ff5c2d6"/> <cybox:Observable idref="mandiant:observable-70e66e0b-ca90-49ea-9675-71790d1e6b4f"/> <cybox:Observable idref="mandiant:observable-c0afcdb6-b030-4112-92c6-fffb0f38b4fb"/> <cybox:Observable idref="mandiant:observable-085f588b-d255-4d7b-9b26-3eeebed7f9f2"/> <cybox:Observable idref="mandiant:observable-bb1f2c6b-9599-4c0d-a877-201c4988b720"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-79ce5a32-f36d-4209-94e2-ef6178af9e68"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-cad19ddc-10cd-40a2-ac1a-0e6a06752a01"/> <cybox:Observable idref="mandiant:observable-eb71184e-305f-46f5-8219-c385f9dd6757"/> <cybox:Observable idref="mandiant:observable-5bdf04d0-249a-4ccf-b426-adf1b101c011"/> <cybox:Observable idref="mandiant:observable-39da8878-6a04-470a-ae03-a5d6891b5204"/> <cybox:Observable idref="mandiant:observable-6aa892aa-f658-4e99-9834-f63ac4d8275b"/> <cybox:Observable idref="mandiant:observable-c1c9b84d-71db-4b6f-95e8-0cf03888e557"/> <cybox:Observable idref="mandiant:observable-27b7f3ea-cc8c-4d56-9220-77e86de77f39"/> <cybox:Observable idref="mandiant:observable-20cb151e-bd47-474c-ae05-f750119a3331"/> <cybox:Observable idref="mandiant:observable-435ba428-56d7-4951-9be0-4b01f1cdcaaa"/> <cybox:Observable idref="mandiant:observable-a625282a-a5d8-4bbe-9d54-975e9ec8b96c"/> <cybox:Observable idref="mandiant:observable-dc50ee9e-0165-429d-97d3-ce06a35bc18d"/> <cybox:Observable idref="mandiant:observable-6d15ce62-f683-4cc6-a7eb-ebdbefd99ab1"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-990afb46-7abe-46a6-9b0c-d73d5c59d749"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-d9028cde-7303-4206-b0b3-6d01aab350b1"/> <cybox:Observable id="mandiant:observable-5072b634-f25f-4bff-9c9c-eb7217f897c4"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-20d9cc91-974a-4c29-b6c8-3c4a46021e70"/> <cybox:Observable idref="mandiant:observable-b805e1f3-9e23-4502-ab7d-f0de4c85cf3c"/> <cybox:Observable idref="mandiant:observable-58731d71-5941-445e-8649-fc6fa652e563"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="ad521068-6f18-4ab1-899c-11007a18ec73" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-DIV (FAMILY)</short_description> <description>The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-DIV variant searches for the strings "div safe:" and " balance" to delimit encoded C2 information. If the decoded string begins with the letter "J" the malware will parse additional arguments in the decoded string to specify the sleep interval to use. WEBC2-DIV is capable of downloading a file, downloading and executing a file, or sleeping a specified interval.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Downloader</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">WEBC2-DIV</link> </links> <definition> <Indicator operator="OR" id="d2ed1adc-26c9-48f8-881d-19dea55e0f5a"> <IndicatorItem id="7e9843f5-7b07-4f36-98d5-0db35273c3ed" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ad7bdadde9a4da73ffc776c606dbb75e</Content> </IndicatorItem> <IndicatorItem id="25984cb3-718e-4e36-86a6-d5717e292c42" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">64fa1239f5aa9a9031e61533283f8c22</Content> </IndicatorItem> <IndicatorItem id="af6ba778-2a08-479c-b160-64165af07044" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">855ca1b45a247754ad91d50827a2e16c</Content> </IndicatorItem> <IndicatorItem id="5ec8c197-fbf9-43aa-9cd8-b911e5114b8a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1e5ec6c06e4f6bb958dcbb9fc636009d</Content> </IndicatorItem> <IndicatorItem id="71b2195c-d115-47e9-aea7-bc8b0593f923" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4962cb3f255b2eaf48847c754d2a553d</Content> </IndicatorItem> <IndicatorItem id="6639593e-28e3-4c24-8095-62f59a93bc7e" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">3DC76854-C328-43D7-9E07-24BF894F8EF5</Content> </IndicatorItem> <Indicator operator="AND" id="925de763-953a-4117-bc2c-8ac3d1e2f6ef"> <Indicator operator="OR" id="44669ba0-15b3-410a-b6ce-6f103478776c"> <IndicatorItem id="d2eaaca8-8910-43f6-af9e-a8996cf1d7f0" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">WINWORD.exe</Content> </IndicatorItem> <IndicatorItem id="4274254b-82bf-42c4-933b-6b6344d69097" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">1.jpg</Content> </IndicatorItem> <IndicatorItem id="d282426a-3dd3-4564-8f57-c712a26c7555" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <IndicatorItem id="d5e42909-d002-431a-82bf-bf614b3af020" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">winupdate.exe</Content> </IndicatorItem> <IndicatorItem id="1dc7c88c-5d5a-4ed9-a850-18b599a77e3c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 20% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="b8bae77a-6c72-41cd-b66e-514aea61b071"> <IndicatorItem id="ca4bdbe4-eb7f-427f-865f-25da34fdd4d3" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">13312</Content> </IndicatorItem> <IndicatorItem id="a48a6229-e93d-4926-b6c1-7d01e3c8214c" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">6656</Content> </IndicatorItem> <IndicatorItem id="bf34594f-fa9c-4df5-82fb-bb526c7cde69" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">7168</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="361c8757-4419-4561-b7d6-4f5f40e7ed3e"> <IndicatorItem id="9b3fd816-796b-44c5-b31b-ac3f6ff5c2d6" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-16T08:40:50Z</Content> </IndicatorItem> <IndicatorItem id="70e66e0b-ca90-49ea-9675-71790d1e6b4f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-25T08:10:07Z</Content> </IndicatorItem> <IndicatorItem id="c0afcdb6-b030-4112-92c6-fffb0f38b4fb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-28T13:35:35Z</Content> </IndicatorItem> <IndicatorItem id="085f588b-d255-4d7b-9b26-3eeebed7f9f2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-01-09T02:13:05Z</Content> </IndicatorItem> <IndicatorItem id="bb1f2c6b-9599-4c0d-a877-201c4988b720" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-31T02:42:08Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="61e54204-3708-49ff-96d6-e6a0d81dd54a"> <IndicatorItem id="d846b096-a433-4361-9f07-135f520b4bfc" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">6k6Gpms</Content> </IndicatorItem> <IndicatorItem id="9d0d33d2-ccc4-4509-b92a-01bf476f24a6" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">ULonodoie</Content> </IndicatorItem> <IndicatorItem id="d9346f17-27b5-4ea0-ae07-7cbf00a2a591" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Microsoft Internet Explorer</Content> </IndicatorItem> <IndicatorItem id="5e664431-b689-44fa-916a-e02fdad60bc5" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Hello from MFC!</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="79ce5a32-f36d-4209-94e2-ef6178af9e68"> <IndicatorItem id="cad19ddc-10cd-40a2-ac1a-0e6a06752a01" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">urldownloadtofilea</Content> </IndicatorItem> <IndicatorItem id="eb71184e-305f-46f5-8219-c385f9dd6757" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">internetopenurla</Content> </IndicatorItem> <IndicatorItem id="5bdf04d0-249a-4ccf-b426-adf1b101c011" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">regsetvalueexa</Content> </IndicatorItem> <IndicatorItem id="39da8878-6a04-470a-ae03-a5d6891b5204" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">internetreadfile</Content> </IndicatorItem> <IndicatorItem id="6aa892aa-f658-4e99-9834-f63ac4d8275b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">createprocessa</Content> </IndicatorItem> <IndicatorItem id="c1c9b84d-71db-4b6f-95e8-0cf03888e557" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">deletefilea</Content> </IndicatorItem> <IndicatorItem id="27b7f3ea-cc8c-4d56-9220-77e86de77f39" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">copyfilea</Content> </IndicatorItem> <IndicatorItem id="20cb151e-bd47-474c-ae05-f750119a3331" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">sleep</Content> </IndicatorItem> <IndicatorItem id="435ba428-56d7-4951-9be0-4b01f1cdcaaa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">getcopmuternamea</Content> </IndicatorItem> <IndicatorItem id="a625282a-a5d8-4bbe-9d54-975e9ec8b96c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">shgetspecialfolderlocation</Content> </IndicatorItem> <IndicatorItem id="dc50ee9e-0165-429d-97d3-ce06a35bc18d" condition="containsnot"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">getprocaddress</Content> </IndicatorItem> <IndicatorItem id="6d15ce62-f683-4cc6-a7eb-ebdbefd99ab1" condition="containsnot"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">loadlibrary</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="990afb46-7abe-46a6-9b0c-d73d5c59d749"> <IndicatorItem id="d9028cde-7303-4206-b0b3-6d01aab350b1" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">\Software\Microsoft\Windows\CurrentVersion\Run</Content> </IndicatorItem> <Indicator operator="OR" id="5072b634-f25f-4bff-9c9c-eb7217f897c4"> <IndicatorItem id="20d9cc91-974a-4c29-b6c8-3c4a46021e70" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">winupdate.exe</Content> </IndicatorItem> <IndicatorItem id="b805e1f3-9e23-4502-ab7d-f0de4c85cf3c" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">1.jpg</Content> </IndicatorItem> <IndicatorItem id="58731d71-5941-445e-8649-fc6fa652e563" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-f4e6caa1-f693-41eb-b8e7-1c20fca5c578"> <indicator:Title>WEBC2-KT3 (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Downloader</indicator:Type> <indicator:Description> The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-KT3 variant searches for commands in a specific comment tag. Network traffic starting with *!Kt3+v| may indicate WEBC2-KT3 activity. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-569c4641-8dc1-407c-bb09-62097735ed36"/> <cybox:Observable idref="mandiant:observable-dec6e160-07e1-4b2d-9e27-79d2e62f7754"/> <cybox:Observable idref="mandiant:observable-dfda0e89-c86e-4194-acd9-e403f0fa0723"/> <cybox:Observable idref="mandiant:observable-4170ae29-4544-44d3-b44a-f9f3a3787544"/> <cybox:Observable id="mandiant:observable-c96c7553-b3a1-4284-85ab-1d656d670671"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-65dab442-cbe0-4d3c-a307-513950691b53"/> <cybox:Observable idref="mandiant:observable-36fd8439-0949-4f7c-bda1-f2582745391b"/> <cybox:Observable idref="mandiant:observable-525c8fc0-a40c-4efa-91bf-2220e96ac0a1"/> <cybox:Observable id="mandiant:observable-9e2fa0a8-8836-4fcb-a48f-6d82b4464c3d"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-35fc9391-a264-48d7-8847-e7b9f452dfab"/> <cybox:Observable idref="mandiant:observable-671c01a3-3ec7-455a-82fc-8ca84f8b0919"/> <cybox:Observable idref="mandiant:observable-80569e90-06d8-4abb-8506-a3a55e876c56"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-f71bb8b4-400a-4fa7-8285-ea81811a57fc"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-ee25aefc-1da9-40e3-b23a-ec529abb4954"/> <cybox:Observable idref="mandiant:observable-e3249ab9-187c-4450-b821-fb0bf08d52ce"/> <cybox:Observable idref="mandiant:observable-97153ba0-c8e5-41cd-b7bb-d735a7ca33a0"/> <cybox:Observable idref="mandiant:observable-cfc55f27-5111-409f-b951-c81ae2244273"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-b46fa9b3-20b9-41c2-a8af-f73e2d228e94"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-1f2397c2-3985-4b86-b10c-13be9e606f68"/> <cybox:Observable idref="mandiant:observable-bc154de8-6af0-469b-92c6-57c51768cfa2"/> <cybox:Observable id="mandiant:observable-ff3e9df0-b4e0-42a1-abab-b7535725985d"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-e22f0176-f4ea-4ec1-b25d-b232f76c8777"/> <cybox:Observable idref="mandiant:observable-26815ccb-81f7-4394-bc0b-c162e0544d5b"/> <cybox:Observable idref="mandiant:observable-c8a420e8-3eab-4327-86ae-0cd34c2c7cc3"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="af5f65fc-e1ca-45db-88b1-6ccb7191ee6a" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-KT3 (FAMILY)</short_description> <description>The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-KT3 variant searches for commands in a specific comment tag. Network traffic starting with *!Kt3+v| may indicate WEBC2-KT3 activity.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Downloader</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">WEBC2-KT3</link> </links> <definition> <Indicator operator="OR" id="f4e6caa1-f693-41eb-b8e7-1c20fca5c578"> <IndicatorItem id="569c4641-8dc1-407c-bb09-62097735ed36" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ad8cde8841208ff226e04e8514dc699c</Content> </IndicatorItem> <IndicatorItem id="dec6e160-07e1-4b2d-9e27-79d2e62f7754" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec3a2197ca6b63ee1454d99a6ae145ab</Content> </IndicatorItem> <IndicatorItem id="dfda0e89-c86e-4194-acd9-e403f0fa0723" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">adb62105427567ddc11124fc27921c40</Content> </IndicatorItem> <IndicatorItem id="4170ae29-4544-44d3-b44a-f9f3a3787544" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">84b83d0e8682e89747eee6ad65e21832</Content> </IndicatorItem> <IndicatorItem id="aa8f05d8-28ff-4432-ae58-3ae1907319c8" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">!Kt3+v</Content> </IndicatorItem> <IndicatorItem id="4d78abec-d148-4a3a-a299-432cad85f91b" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)</Content> </IndicatorItem> <Indicator operator="AND" id="c96c7553-b3a1-4284-85ab-1d656d670671"> <IndicatorItem id="65dab442-cbe0-4d3c-a307-513950691b53" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <IndicatorItem id="36fd8439-0949-4f7c-bda1-f2582745391b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 75% samples.</Comment> </IndicatorItem> <IndicatorItem id="525c8fc0-a40c-4efa-91bf-2220e96ac0a1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 25% samples.</Comment> </IndicatorItem> <Indicator operator="OR" id="9e2fa0a8-8836-4fcb-a48f-6d82b4464c3d"> <IndicatorItem id="35fc9391-a264-48d7-8847-e7b9f452dfab" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">48640</Content> </IndicatorItem> <IndicatorItem id="671c01a3-3ec7-455a-82fc-8ca84f8b0919" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">52606</Content> </IndicatorItem> <IndicatorItem id="80569e90-06d8-4abb-8506-a3a55e876c56" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">81920</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="f71bb8b4-400a-4fa7-8285-ea81811a57fc"> <IndicatorItem id="ee25aefc-1da9-40e3-b23a-ec529abb4954" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-10-31T03:49:45Z</Content> </IndicatorItem> <IndicatorItem id="e3249ab9-187c-4450-b821-fb0bf08d52ce" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-12-08T01:22:53Z</Content> </IndicatorItem> <IndicatorItem id="97153ba0-c8e5-41cd-b7bb-d735a7ca33a0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-03-16T13:30:51Z</Content> </IndicatorItem> <IndicatorItem id="cfc55f27-5111-409f-b951-c81ae2244273" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-05-25T07:58:16Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="b46fa9b3-20b9-41c2-a8af-f73e2d228e94"> <IndicatorItem id="1f2397c2-3985-4b86-b10c-13be9e606f68" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">Software\Microsoft\Windows\CurrentVersion\Run</Content> </IndicatorItem> <IndicatorItem id="bc154de8-6af0-469b-92c6-57c51768cfa2" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <Indicator operator="OR" id="ff3e9df0-b4e0-42a1-abab-b7535725985d"> <IndicatorItem id="e22f0176-f4ea-4ec1-b25d-b232f76c8777" condition="is"> <Context document="RegistryItem" search="RegistryItem/ValueName" type="mir"/> <Content type="string">AcrobatAPP</Content> </IndicatorItem> <IndicatorItem id="26815ccb-81f7-4394-bc0b-c162e0544d5b" condition="is"> <Context document="RegistryItem" search="RegistryItem/ValueName" type="mir"/> <Content type="string">MSTDC</Content> </IndicatorItem> <IndicatorItem id="c8a420e8-3eab-4327-86ae-0cd34c2c7cc3" condition="is"> <Context document="RegistryItem" search="RegistryItem/ValueName" type="mir"/> <Content type="string">SVCRTC</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-ef180c46-8d36-46bc-b45c-d88cefa85002"> <indicator:Title>WEBC2-CLOVER (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The family of malware provides the attacker with an interactive command shell, the ability to upload and download files, execute commands on the system, list processes and DLLs, kill processes, and ping hosts on the local network. Responses to these commands are encrypted and compressed before being POSTed to the server. Some variants copy cmd.exe to Updatasched.exe in a temporary directory, and then may launch that in a process if an interactive shell is called. On initial invocation, the malware also attempts to delete previous copies of the Updatasched.exe file. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-683a261d-0d11-4d81-9974-f76244cf5f7f"/> <cybox:Observable idref="mandiant:observable-8164f745-0c7a-4971-9534-c32795908588"/> <cybox:Observable idref="mandiant:observable-2a604ece-4051-4e9c-bb04-00e3d9b62919"/> <cybox:Observable idref="mandiant:observable-4af929cc-8c82-4bee-ad17-dcf502c2f6d0"/> <cybox:Observable idref="mandiant:observable-d4cfaa14-c00b-4729-8730-c19bb7ccaca4"/> <cybox:Observable idref="mandiant:observable-caa9294b-a600-4186-9ade-64240f10e7e4"/> <cybox:Observable idref="mandiant:observable-5a75fcdb-49b6-4907-90c1-be1211df0d1d"/> <cybox:Observable idref="mandiant:observable-746e58c4-5833-4d83-b0fc-b7c8cd13d388"/> <cybox:Observable idref="mandiant:observable-ecf7494b-0ddf-42eb-bfd1-54caaad7b6c3"/> <cybox:Observable idref="mandiant:observable-0d0fc96e-7cbe-41d4-8ff1-27124e3b67eb"/> <cybox:Observable idref="mandiant:observable-547ce69a-45e6-447d-93cb-e3f8408a21f0"/> <cybox:Observable idref="mandiant:observable-cd2cdf22-32a9-4631-95e3-1ea82be40d9d"/> <cybox:Observable idref="mandiant:observable-6111ae05-51da-40cb-bcd7-8c7309c7cc6c"/> <cybox:Observable idref="mandiant:observable-459a8ca3-5f37-4170-a310-b2edf02364cb"/> <cybox:Observable idref="mandiant:observable-7ef04110-a2d2-41d9-918d-64e6a57f404e"/> <cybox:Observable idref="mandiant:observable-0e37846c-82ac-4a10-b13e-f38868432948"/> <cybox:Observable idref="mandiant:observable-4ae2a86e-d5b1-4216-be43-cebb94582e3d"/> <cybox:Observable idref="mandiant:observable-9968a740-8e3f-4cce-a36b-0d4bf4fc61c0"/> <cybox:Observable idref="mandiant:observable-7ef2f6ae-079b-4726-a5ac-e55552afbf7e"/> <cybox:Observable idref="mandiant:observable-a99a13ad-6ffb-4307-bdef-62b7867ce6ba"/> <cybox:Observable idref="mandiant:observable-7fcc9f01-571e-48cf-b9c9-ad1cfab31df1"/> <cybox:Observable idref="mandiant:observable-b869caca-0e0a-4f03-b5ab-7cc08a1b652b"/> <cybox:Observable idref="mandiant:observable-cde9b415-e358-488e-aa21-aff40ac98d23"/> <cybox:Observable idref="mandiant:observable-1034f34d-94f4-4d2b-934a-1de2c16f1eec"/> <cybox:Observable idref="mandiant:observable-730cc249-816f-4f97-ad2c-2d9e32225093"/> <cybox:Observable idref="mandiant:observable-5b8ece81-1cda-40bc-a5b8-3336ecdc50c1"/> <cybox:Observable idref="mandiant:observable-8e8bf688-5355-4612-99c9-466a1c697bba"/> <cybox:Observable idref="mandiant:observable-908c651a-c3b4-40c6-a14a-3ff89bedc201"/> <cybox:Observable idref="mandiant:observable-847065ca-076b-4f2d-bf5a-52d635ab2fff"/> <cybox:Observable idref="mandiant:observable-02ef1c30-77f2-40d2-a230-05d5a3d50cd5"/> <cybox:Observable idref="mandiant:observable-25b1e82b-e775-40b3-8a45-eb741eab7d11"/> <cybox:Observable idref="mandiant:observable-44c50c55-da30-4a8f-81d5-2ca4452ed8ca"/> <cybox:Observable idref="mandiant:observable-fa7824d9-a3b6-4538-bc52-a41e71b67e2d"/> <cybox:Observable idref="mandiant:observable-60a8b2c7-e984-4f65-83b3-6e8bb0e4f8f3"/> <cybox:Observable idref="mandiant:observable-c9be368c-5105-494c-9a9f-bbd8527bd878"/> <cybox:Observable idref="mandiant:observable-ef26adb1-8229-4857-834d-2fd0aed4bd61"/> <cybox:Observable idref="mandiant:observable-d6a606bd-9931-451b-941b-377d55775735"/> <cybox:Observable idref="mandiant:observable-19bc2607-f1d1-42d8-a417-0b88981ce9a1"/> <cybox:Observable idref="mandiant:observable-78b46b61-44bb-430a-b671-75a0752af73a"/> <cybox:Observable id="mandiant:observable-04e1f6fa-fafc-45d7-b3fc-2cc7a58dd677"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-299cbd1a-5d55-4b3c-8dc5-b4a5b73c09af"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-34777547-62c7-4ab3-bc13-4dba65ca64e6"/> <cybox:Observable idref="mandiant:observable-0a7c6848-cf7c-43da-944a-c3459fe4f3c2"/> <cybox:Observable idref="mandiant:observable-ec005879-15d0-404b-b5b2-672f778a9720"/> <cybox:Observable idref="mandiant:observable-ea5a605d-135f-4958-872b-c918d7a0fe60"/> <cybox:Observable idref="mandiant:observable-c56cb637-df95-4ca1-8331-62e374681f49"/> <cybox:Observable idref="mandiant:observable-3a2ff9fb-d71a-4f01-936e-5388efefb515"/> <cybox:Observable idref="mandiant:observable-4c06b740-9ff8-49dd-bcc6-32433941411e"/> <cybox:Observable idref="mandiant:observable-ac8c800a-7cb6-42d5-aa4e-2e204219f921"/> <cybox:Observable idref="mandiant:observable-4b800446-1f51-4901-8207-f4a765d7e824"/> <cybox:Observable idref="mandiant:observable-46468ab0-0868-4482-8ab2-cc2e9d717a8d"/> <cybox:Observable idref="mandiant:observable-c6ee05b2-f173-4ebe-be00-dd30b192d70d"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-87da00cd-2ec7-40a0-ad53-08ef54813b47"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-1596173d-f923-4e7e-89c9-f2268cd0e4ee"/> <cybox:Observable idref="mandiant:observable-8392cd46-7c5f-4079-b846-486b4c4d0230"/> <cybox:Observable idref="mandiant:observable-403ff3cf-f214-4f80-88b5-f3acf6db91f0"/> <cybox:Observable idref="mandiant:observable-6ce3f781-0276-464a-a738-f2d5b2f4b3ff"/> <cybox:Observable idref="mandiant:observable-5dd9011a-4b8e-436c-81b0-c763c6e829f1"/> <cybox:Observable idref="mandiant:observable-ed8eb5dd-6688-4b7d-82cc-7ee23228fd61"/> <cybox:Observable idref="mandiant:observable-fc92a5be-9efb-4e97-b346-cfc41694fd47"/> <cybox:Observable idref="mandiant:observable-0f17dc1b-dc37-4347-814f-743b693de027"/> <cybox:Observable idref="mandiant:observable-8ddadd0e-7f42-479b-9302-a3242ef06384"/> <cybox:Observable idref="mandiant:observable-6a51dbc6-2057-4937-9bda-b59a7b75f055"/> <cybox:Observable idref="mandiant:observable-fc9d13f8-2b83-46f0-93e4-4723602ae018"/> <cybox:Observable idref="mandiant:observable-afc4e166-2691-402a-bc5c-dc42c3d6b8f1"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-59720908-3b08-4f6f-903b-38c8509e625c"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-1962f1db-579e-4c59-8f3d-542773d94685"/> <cybox:Observable idref="mandiant:observable-66f036a9-7356-49ca-b6f0-704df83fa1d8"/> <cybox:Observable idref="mandiant:observable-e46f8aa4-a6ea-4257-a62d-60cfbd9022db"/> <cybox:Observable idref="mandiant:observable-b75540ac-8276-44cf-a3fe-1da07b7bda18"/> <cybox:Observable idref="mandiant:observable-0f5dcb7e-02f5-47dc-8d06-8c502e0d0406"/> <cybox:Observable idref="mandiant:observable-fbe2d37c-af39-4317-b873-41af01884128"/> <cybox:Observable idref="mandiant:observable-c1c9cedb-d74c-4e26-8a39-c23acf1964ea"/> <cybox:Observable idref="mandiant:observable-e4dde78b-599f-4f4d-9b9b-4516dac8e9ae"/> <cybox:Observable idref="mandiant:observable-be04e251-82c5-4a90-9595-05502e582e13"/> <cybox:Observable idref="mandiant:observable-08b62b93-be74-4584-9685-3c101322f569"/> <cybox:Observable idref="mandiant:observable-59beae91-c2ad-4af2-b5b0-116528e7a41f"/> <cybox:Observable idref="mandiant:observable-08742793-fe7c-45fb-97cf-80e84d63551e"/> <cybox:Observable idref="mandiant:observable-3a0f2fe3-e881-4da3-a161-ffdd3ca0994f"/> <cybox:Observable idref="mandiant:observable-9a6d698b-8794-41e7-a607-ee1ff3ab4834"/> <cybox:Observable idref="mandiant:observable-f24539e2-dade-4bb8-9d8d-f11da6eafde4"/> <cybox:Observable idref="mandiant:observable-e1f6f860-28a1-4f0b-82e1-b2dcf3e70a85"/> <cybox:Observable idref="mandiant:observable-37b36018-0778-4cf6-b16c-7c5c47c030a9"/> <cybox:Observable idref="mandiant:observable-2378a653-b5fd-46bb-b242-f945ed89d293"/> <cybox:Observable idref="mandiant:observable-334ac7e0-1702-4cbd-a994-8709862b7b69"/> <cybox:Observable idref="mandiant:observable-ea32adaf-4049-4a91-a41a-a87884304724"/> <cybox:Observable idref="mandiant:observable-c4f3cffa-9df6-40d7-ace8-f9d1d8ba6ea7"/> <cybox:Observable idref="mandiant:observable-99178fe8-bfad-46da-a4b5-8c48945fe9d3"/> <cybox:Observable idref="mandiant:observable-b7107552-865c-4ed2-98c6-098c1dab40a9"/> <cybox:Observable idref="mandiant:observable-6f49e9fa-76d0-414b-ab9d-39134e6a0390"/> <cybox:Observable idref="mandiant:observable-7a25dc81-851e-4eb0-8abe-45d8358ab2bb"/> <cybox:Observable idref="mandiant:observable-397a7b49-bb8e-4f1d-8184-83ac9d207398"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="c32b8af3-28d0-47d3-801f-a2c2b0129650" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-CLOVER (FAMILY)</short_description> <description>A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The family of malware provides the attacker with an interactive command shell, the ability to upload and download files, execute commands on the system, list processes and DLLs, kill processes, and ping hosts on the local network. Responses to these commands are encrypted and compressed before being POSTed to the server. Some variants copy cmd.exe to Updatasched.exe in a temporary directory, and then may launch that in a process if an interactive shell is called. On initial invocation, the malware also attempts to delete previous copies of the Updatasched.exe file.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">WEBC2-CLOVER</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="ef180c46-8d36-46bc-b45c-d88cefa85002"> <IndicatorItem id="683a261d-0d11-4d81-9974-f76244cf5f7f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8fc5fb519a222ab919f28d21545774c6</Content> </IndicatorItem> <IndicatorItem id="8164f745-0c7a-4971-9534-c32795908588" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7aef47f9fd84669976c4b152910a6328</Content> </IndicatorItem> <IndicatorItem id="2a604ece-4051-4e9c-bb04-00e3d9b62919" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5bac505fdc202e1c6507ef381a881ed1</Content> </IndicatorItem> <IndicatorItem id="4af929cc-8c82-4bee-ad17-dcf502c2f6d0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">29c691978af80dc23c4df96b5f6076bb</Content> </IndicatorItem> <IndicatorItem id="d4cfaa14-c00b-4729-8730-c19bb7ccaca4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">966db6a32ccf7e57394706abc3999189</Content> </IndicatorItem> <IndicatorItem id="caa9294b-a600-4186-9ade-64240f10e7e4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">668b92feb7cbcc7ac75ff97dcec28d10</Content> </IndicatorItem> <IndicatorItem id="5a75fcdb-49b6-4907-90c1-be1211df0d1d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7b3ce6c2af1acd119a25831fac670bab</Content> </IndicatorItem> <IndicatorItem id="746e58c4-5833-4d83-b0fc-b7c8cd13d388" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ba10b9486043f76bb9e9a160bc1d2576</Content> </IndicatorItem> <IndicatorItem id="ecf7494b-0ddf-42eb-bfd1-54caaad7b6c3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">68af7be698e8a7408451c158c04a9712</Content> </IndicatorItem> <IndicatorItem id="0d0fc96e-7cbe-41d4-8ff1-27124e3b67eb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a1cb8a9f2b8926afeb254a64f1d78ee3</Content> </IndicatorItem> <IndicatorItem id="547ce69a-45e6-447d-93cb-e3f8408a21f0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6846ad52c9208830ceaf4cfd81402015</Content> </IndicatorItem> <IndicatorItem id="cd2cdf22-32a9-4631-95e3-1ea82be40d9d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">56c26b175ae23d90244805a6ec347e42</Content> </IndicatorItem> <IndicatorItem id="6111ae05-51da-40cb-bcd7-8c7309c7cc6c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ba773e1608198cf8337c5902d7930710</Content> </IndicatorItem> <IndicatorItem id="459a8ca3-5f37-4170-a310-b2edf02364cb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">065e63afdfa539727f63af7530b22d2f</Content> </IndicatorItem> <IndicatorItem id="7ef04110-a2d2-41d9-918d-64e6a57f404e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bebbbc50a561681f48d174d6b7c2824e</Content> </IndicatorItem> <IndicatorItem id="0e37846c-82ac-4a10-b13e-f38868432948" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bb286e9969ca197b461286b679c0886e</Content> </IndicatorItem> <IndicatorItem id="4ae2a86e-d5b1-4216-be43-cebb94582e3d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e32ab6a2eac5bd1cddd3146d1a1348b</Content> </IndicatorItem> <IndicatorItem id="9968a740-8e3f-4cce-a36b-0d4bf4fc61c0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">251c817f4144264c3e7a9dac03071daf</Content> </IndicatorItem> <IndicatorItem id="7ef2f6ae-079b-4726-a5ac-e55552afbf7e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3441cbdf8de9472c19b021b241429b22</Content> </IndicatorItem> <IndicatorItem id="a99a13ad-6ffb-4307-bdef-62b7867ce6ba" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2fccaa39533de02490b1c6395878dd79</Content> </IndicatorItem> <IndicatorItem id="7fcc9f01-571e-48cf-b9c9-ad1cfab31df1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2cdbeebcf4e0b6dbd24b8c7b4cd6d862</Content> </IndicatorItem> <IndicatorItem id="b869caca-0e0a-4f03-b5ab-7cc08a1b652b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9a58cc73e103fd5a14ef3564e35c03df</Content> </IndicatorItem> <IndicatorItem id="cde9b415-e358-488e-aa21-aff40ac98d23" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">eca18e3872fd32f17410167871fbd1d2</Content> </IndicatorItem> <IndicatorItem id="1034f34d-94f4-4d2b-934a-1de2c16f1eec" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">76ba06bac23a2c445cb982bf38b82199</Content> </IndicatorItem> <IndicatorItem id="730cc249-816f-4f97-ad2c-2d9e32225093" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cca290cd2abe96392378b71e9835ce06</Content> </IndicatorItem> <IndicatorItem id="5b8ece81-1cda-40bc-a5b8-3336ecdc50c1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">648ce1c45927b24563dd8361a1b74311</Content> </IndicatorItem> <IndicatorItem id="8e8bf688-5355-4612-99c9-466a1c697bba" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e22f2e9ee73ab8b12ee5069f7e39a615</Content> </IndicatorItem> <IndicatorItem id="908c651a-c3b4-40c6-a14a-3ff89bedc201" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7ab86c938b960dfc0c4ffbadd4163666</Content> </IndicatorItem> <IndicatorItem id="847065ca-076b-4f2d-bf5a-52d635ab2fff" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0829207a8400e2814990f79fbdfe7f4d</Content> </IndicatorItem> <IndicatorItem id="02ef1c30-77f2-40d2-a230-05d5a3d50cd5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">98bddd6c789a883afa1de3524bb8ea8e</Content> </IndicatorItem> <IndicatorItem id="25b1e82b-e775-40b3-8a45-eb741eab7d11" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d776379bda9fdf695d6a54db8a5b4c72</Content> </IndicatorItem> <IndicatorItem id="44c50c55-da30-4a8f-81d5-2ca4452ed8ca" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7253de652a025b2b4fa7b02e97a1ee6b</Content> </IndicatorItem> <IndicatorItem id="fa7824d9-a3b6-4538-bc52-a41e71b67e2d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9df30198f52b16925db1e3da61cfc754</Content> </IndicatorItem> <IndicatorItem id="60a8b2c7-e984-4f65-83b3-6e8bb0e4f8f3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a70aaf335f7f1a04c7fe194602b11c14</Content> </IndicatorItem> <IndicatorItem id="c9be368c-5105-494c-9a9f-bbd8527bd878" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cd6c1dbf08d8864b382678284ef13358</Content> </IndicatorItem> <IndicatorItem id="ef26adb1-8229-4857-834d-2fd0aed4bd61" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">177e0270f25a901c216ffb2e7a36e5b1</Content> </IndicatorItem> <IndicatorItem id="d6a606bd-9931-451b-941b-377d55775735" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0141955eb5b90ce25b506757ce151275</Content> </IndicatorItem> <IndicatorItem id="19bc2607-f1d1-42d8-a417-0b88981ce9a1" condition="contains"> <Context document="ProcessItem" search="ProcessItem/name" type="mir"/> <Content type="string">updatasched.exe</Content> <Comment>artifact for a possible interactive shell that the malware may launch</Comment> </IndicatorItem> <IndicatorItem id="bb1cca47-f39a-49b7-a2eb-6c5586730c1c" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">----------------------------7d6ea2d405fc</Content> <Comment>string used to separate posts to the C2 server</Comment> </IndicatorItem> <IndicatorItem id="78b46b61-44bb-430a-b671-75a0752af73a" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">Temp\Updatasched.exe</Content> <Comment>artifact for a copy of cmd.exe that the malware creates</Comment> </IndicatorItem> <Indicator operator="AND" id="04e1f6fa-fafc-45d7-b3fc-2cc7a58dd677"> <Indicator operator="OR" id="299cbd1a-5d55-4b3c-8dc5-b4a5b73c09af"> <IndicatorItem id="34777547-62c7-4ab3-bc13-4dba65ca64e6" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">tcplink.exe</Content> </IndicatorItem> <IndicatorItem id="0a7c6848-cf7c-43da-944a-c3459fe4f3c2" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">httpslink.exe</Content> </IndicatorItem> <IndicatorItem id="ec005879-15d0-404b-b5b2-672f778a9720" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Temfoe367[1].htm</Content> </IndicatorItem> <IndicatorItem id="ea5a605d-135f-4958-872b-c918d7a0fe60" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">h1.exe</Content> </IndicatorItem> <IndicatorItem id="c56cb637-df95-4ca1-8331-62e374681f49" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">tc443.bin</Content> </IndicatorItem> <IndicatorItem id="3a2ff9fb-d71a-4f01-936e-5388efefb515" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">tc443.exe</Content> </IndicatorItem> <IndicatorItem id="4c06b740-9ff8-49dd-bcc6-32433941411e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">new80.exe</Content> </IndicatorItem> <IndicatorItem id="ac8c800a-7cb6-42d5-aa4e-2e204219f921" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">setup.exe</Content> </IndicatorItem> <IndicatorItem id="4b800446-1f51-4901-8207-f4a765d7e824" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">adosetup.exe</Content> </IndicatorItem> <IndicatorItem id="46468ab0-0868-4482-8ab2-cc2e9d717a8d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 14% samples.</Comment> </IndicatorItem> <IndicatorItem id="c6ee05b2-f173-4ebe-be00-dd30b192d70d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 97% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="87da00cd-2ec7-40a0-ad53-08ef54813b47"> <IndicatorItem id="1596173d-f923-4e7e-89c9-f2268cd0e4ee" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">32768</Content> </IndicatorItem> <IndicatorItem id="8392cd46-7c5f-4079-b846-486b4c4d0230" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">50176</Content> </IndicatorItem> <IndicatorItem id="403ff3cf-f214-4f80-88b5-f3acf6db91f0" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">50689</Content> </IndicatorItem> <IndicatorItem id="6ce3f781-0276-464a-a738-f2d5b2f4b3ff" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">51200</Content> </IndicatorItem> <IndicatorItem id="5dd9011a-4b8e-436c-81b0-c763c6e829f1" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">52224</Content> </IndicatorItem> <IndicatorItem id="ed8eb5dd-6688-4b7d-82cc-7ee23228fd61" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">53248</Content> </IndicatorItem> <IndicatorItem id="fc92a5be-9efb-4e97-b346-cfc41694fd47" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">53249</Content> </IndicatorItem> <IndicatorItem id="0f17dc1b-dc37-4347-814f-743b693de027" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">53608</Content> </IndicatorItem> <IndicatorItem id="8ddadd0e-7f42-479b-9302-a3242ef06384" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">53760</Content> </IndicatorItem> <IndicatorItem id="6a51dbc6-2057-4937-9bda-b59a7b75f055" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">53761</Content> </IndicatorItem> <IndicatorItem id="fc9d13f8-2b83-46f0-93e4-4723602ae018" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">54272</Content> </IndicatorItem> <IndicatorItem id="afc4e166-2691-402a-bc5c-dc42c3d6b8f1" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">54784</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="59720908-3b08-4f6f-903b-38c8509e625c"> <IndicatorItem id="1962f1db-579e-4c59-8f3d-542773d94685" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-01-15T03:30:11Z</Content> </IndicatorItem> <IndicatorItem id="66f036a9-7356-49ca-b6f0-704df83fa1d8" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-09-03T02:56:32Z</Content> </IndicatorItem> <IndicatorItem id="e46f8aa4-a6ea-4257-a62d-60cfbd9022db" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-22T12:59:55Z</Content> </IndicatorItem> <IndicatorItem id="b75540ac-8276-44cf-a3fe-1da07b7bda18" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-05-16T01:19:31Z</Content> </IndicatorItem> <IndicatorItem id="0f5dcb7e-02f5-47dc-8d06-8c502e0d0406" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-10T01:36:32Z</Content> </IndicatorItem> <IndicatorItem id="fbe2d37c-af39-4317-b873-41af01884128" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-14T03:38:58Z</Content> </IndicatorItem> <IndicatorItem id="c1c9cedb-d74c-4e26-8a39-c23acf1964ea" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-14T03:40:49Z</Content> </IndicatorItem> <IndicatorItem id="e4dde78b-599f-4f4d-9b9b-4516dac8e9ae" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-24T07:22:12Z</Content> </IndicatorItem> <IndicatorItem id="be04e251-82c5-4a90-9595-05502e582e13" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-09-22T09:11:41Z</Content> </IndicatorItem> <IndicatorItem id="08b62b93-be74-4584-9685-3c101322f569" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-09-22T09:15:45Z</Content> </IndicatorItem> <IndicatorItem id="59beae91-c2ad-4af2-b5b0-116528e7a41f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-10T00:20:22Z</Content> </IndicatorItem> <IndicatorItem id="08742793-fe7c-45fb-97cf-80e84d63551e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-10T14:16:57Z</Content> </IndicatorItem> <IndicatorItem id="3a0f2fe3-e881-4da3-a161-ffdd3ca0994f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-31T03:15:21Z</Content> </IndicatorItem> <IndicatorItem id="9a6d698b-8794-41e7-a607-ee1ff3ab4834" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-03T02:43:11Z</Content> </IndicatorItem> <IndicatorItem id="f24539e2-dade-4bb8-9d8d-f11da6eafde4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-03T03:38:17Z</Content> </IndicatorItem> <IndicatorItem id="e1f6f860-28a1-4f0b-82e1-b2dcf3e70a85" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-04T06:41:46Z</Content> </IndicatorItem> <IndicatorItem id="37b36018-0778-4cf6-b16c-7c5c47c030a9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-04T06:50:05Z</Content> </IndicatorItem> <IndicatorItem id="2378a653-b5fd-46bb-b242-f945ed89d293" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-04T07:15:01Z</Content> </IndicatorItem> <IndicatorItem id="334ac7e0-1702-4cbd-a994-8709862b7b69" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-04T08:12:26Z</Content> </IndicatorItem> <IndicatorItem id="ea32adaf-4049-4a91-a41a-a87884304724" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-04T08:47:56Z</Content> </IndicatorItem> <IndicatorItem id="c4f3cffa-9df6-40d7-ace8-f9d1d8ba6ea7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-04T09:38:23Z</Content> </IndicatorItem> <IndicatorItem id="99178fe8-bfad-46da-a4b5-8c48945fe9d3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-12-09T19:29:48Z</Content> </IndicatorItem> <IndicatorItem id="b7107552-865c-4ed2-98c6-098c1dab40a9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-12-30T18:48:59Z</Content> </IndicatorItem> <IndicatorItem id="6f49e9fa-76d0-414b-ab9d-39134e6a0390" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-01-09T19:15:34Z</Content> </IndicatorItem> <IndicatorItem id="7a25dc81-851e-4eb0-8abe-45d8358ab2bb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-02-09T16:42:08Z</Content> </IndicatorItem> <IndicatorItem id="397a7b49-bb8e-4f1d-8184-83ac9d207398" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-30T23:59:47Z</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-fe6cb826-5c1a-42ac-bd7d-d505e9e93e64"> <indicator:Title>BANGAT (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> The BANGAT malware family shares a large amount of functionality with the AURIGA backdoor. The malware family contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. In addition, the malware also implements a custom VNC like protocol which sends screenshots of the desktop to the C2 server and accepts keyboard and mouse input. The malware communicates to its C2 servers using SSL, with self signed SSL certificates. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the "Microsoft corp" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-38822ca2-da3c-4227-98d4-99f6e5ff0ecb"/> <cybox:Observable idref="mandiant:observable-9d06abfc-7aa5-47de-94bd-6e7eed8b3e6f"/> <cybox:Observable idref="mandiant:observable-c6e06654-0679-41f6-a20e-ffbbbd7a1f16"/> <cybox:Observable idref="mandiant:observable-248ed2af-7364-4aa6-b538-2aa921ce7853"/> <cybox:Observable idref="mandiant:observable-21d16b13-0d58-49f0-b428-be6c85a0aab0"/> <cybox:Observable idref="mandiant:observable-88f98414-fac5-4f39-ad01-4b53142fce0a"/> <cybox:Observable idref="mandiant:observable-fee95377-eb3f-4430-aa6e-7e2c8595e0f5"/> <cybox:Observable idref="mandiant:observable-e33113ac-7c7e-4018-ba18-ae2f2bada74f"/> <cybox:Observable idref="mandiant:observable-5f00eab4-7366-4e1c-9aa5-a4038ff5d922"/> <cybox:Observable idref="mandiant:observable-3b36e365-2e22-42a0-991a-b301bcd20167"/> <cybox:Observable idref="mandiant:observable-bc4afa08-94a9-4396-b400-a5c4e48a690f"/> <cybox:Observable idref="mandiant:observable-ab35a0d7-912c-450f-a408-10edba70b5a2"/> <cybox:Observable idref="mandiant:observable-f70884aa-cefb-4118-b78a-ee530bb8b294"/> <cybox:Observable idref="mandiant:observable-4e11eed7-9abd-4d35-8444-16f8b63aafaa"/> <cybox:Observable idref="mandiant:observable-c39460ba-79a3-4b47-b982-08979b03ac34"/> <cybox:Observable idref="mandiant:observable-0994c45a-1b81-4005-bf3f-2ce62953f5ad"/> <cybox:Observable idref="mandiant:observable-f1e2829e-a167-4def-ac7d-9e6376bb8955"/> <cybox:Observable idref="mandiant:observable-551ab1c8-62fd-48fa-9123-36c80aa8d42f"/> <cybox:Observable idref="mandiant:observable-6a94f445-c25d-465a-ba30-ee38f2c7da9b"/> <cybox:Observable idref="mandiant:observable-e4e373d5-4db3-47fe-9bdd-f39df988efe8"/> <cybox:Observable idref="mandiant:observable-86ce26a5-3591-4cb9-b59a-824f50c23e73"/> <cybox:Observable idref="mandiant:observable-eb4a8a89-d8dc-415d-a71c-367ca9e73665"/> <cybox:Observable idref="mandiant:observable-ace22436-43cb-438e-981d-e3aaa5e769a4"/> <cybox:Observable idref="mandiant:observable-f5823e4c-44e5-4ac4-af09-cabc298dc45e"/> <cybox:Observable idref="mandiant:observable-35be0a1d-546d-4caa-abaa-f865e7cb7ca1"/> <cybox:Observable idref="mandiant:observable-8dd03e58-b079-4e33-87e9-2d173383601c"/> <cybox:Observable idref="mandiant:observable-2862b907-8108-45c2-96e8-5c67459fd3c3"/> <cybox:Observable idref="mandiant:observable-ca0f64b1-91ed-4ee1-89f7-7a24ab485cd2"/> <cybox:Observable idref="mandiant:observable-f52198ec-5b13-4898-8171-119098c6c52e"/> <cybox:Observable idref="mandiant:observable-b125df15-52a2-4e2d-bc85-8e968f829b1d"/> <cybox:Observable idref="mandiant:observable-29903d16-d5f1-408a-8d21-e76a6a4a8bf1"/> <cybox:Observable idref="mandiant:observable-67a6269e-6339-41af-ab77-6f9376989bb7"/> <cybox:Observable idref="mandiant:observable-8353402f-e63a-414e-9ab9-7e86bc6a780f"/> <cybox:Observable idref="mandiant:observable-3bfba55a-068d-4349-9451-b234bffc7752"/> <cybox:Observable idref="mandiant:observable-fae77798-ac64-4a36-b045-e502e7d0907c"/> <cybox:Observable idref="mandiant:observable-18cafb49-fcb7-42a3-ac49-114471d6b60e"/> <cybox:Observable idref="mandiant:observable-4605d882-3903-4bc1-a435-54afb15ab622"/> <cybox:Observable idref="mandiant:observable-88f71b56-0790-4c08-816a-a47899b19482"/> <cybox:Observable idref="mandiant:observable-2214462b-7913-4b2d-abaa-1e14f74648ce"/> <cybox:Observable idref="mandiant:observable-65db8863-394f-45b0-895a-f19d82aba765"/> <cybox:Observable id="mandiant:observable-050c112a-0d87-47d9-85da-0da2f65ce6b6"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-087779c6-e2c3-4651-8f6a-7c241b5dcb02"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-3c3c3dbf-ef47-44cb-a0c3-94e86cb46a0c"/> <cybox:Observable idref="mandiant:observable-787c0145-fc03-49cf-93eb-243b13b48a0a"/> <cybox:Observable idref="mandiant:observable-0fb08469-f6f1-4c66-bc67-31c76b0aedeb"/> <cybox:Observable idref="mandiant:observable-063a8a6d-1c5f-4983-9dd6-789073a28d67"/> <cybox:Observable idref="mandiant:observable-45f8cb0e-7cad-454a-99f7-b5f40436f434"/> <cybox:Observable idref="mandiant:observable-ab0dccc5-2ab2-4a0f-815b-90e8c29f64dc"/> <cybox:Observable idref="mandiant:observable-e2170e8e-0437-47cf-aac5-1fd90bdeb953"/> <cybox:Observable idref="mandiant:observable-beebab22-445f-4d29-bd65-98847863c5c0"/> <cybox:Observable idref="mandiant:observable-bf2c5c0f-2416-469a-abd8-d5168ce018b9"/> <cybox:Observable idref="mandiant:observable-35b9f095-5f44-4686-a19d-1f5ec89825e8"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-3ddf7901-92de-4f69-a969-fae710141a01"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-49065513-2cbe-4139-8f2f-522859593006"/> <cybox:Observable idref="mandiant:observable-f5cd2c03-bf5a-4d91-a2d5-9425564c7ad0"/> <cybox:Observable idref="mandiant:observable-24f98694-f3b6-48f0-b57e-f04c3c394b5e"/> <cybox:Observable idref="mandiant:observable-93a582c6-5653-44fd-85d2-840a546a9c1e"/> <cybox:Observable idref="mandiant:observable-08b90e51-8472-48f8-bf2a-8c5b01a811a0"/> <cybox:Observable idref="mandiant:observable-618986ce-43a1-4f77-a639-f6812b90d059"/> <cybox:Observable idref="mandiant:observable-4b2254df-ca35-47b7-a1d6-e445d2d3983a"/> <cybox:Observable idref="mandiant:observable-24d450aa-0ed1-423c-8b04-f7354ececee2"/> <cybox:Observable idref="mandiant:observable-3de7fcdd-2468-4fc1-849c-19422b0fb610"/> <cybox:Observable idref="mandiant:observable-7df638f2-2b8f-42cd-8302-87f1015b59af"/> <cybox:Observable idref="mandiant:observable-c888b9dc-cd7f-466b-8e57-a61d3b9b973e"/> <cybox:Observable idref="mandiant:observable-7e6234ce-83d1-4d60-a5e9-013cdd61e3db"/> <cybox:Observable idref="mandiant:observable-b43f1e82-aa52-4c9a-913c-de8f16a355b8"/> <cybox:Observable idref="mandiant:observable-ec6dce46-94ef-4960-95d8-ac52fd27f0c4"/> <cybox:Observable idref="mandiant:observable-e21bb7d2-fd72-4e9f-889f-3d77034ae2a4"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-3a64e82f-92ec-41e8-9d6b-40d1562dd97c"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-793c3646-6a5b-4bf4-8988-1229253dd0ae"/> <cybox:Observable idref="mandiant:observable-3f9a64d4-b613-4e74-8663-dc926488f9bf"/> <cybox:Observable idref="mandiant:observable-3d1e2fca-0041-4e36-89b3-7e72109a341b"/> <cybox:Observable idref="mandiant:observable-a6d215a3-c982-470d-955f-a46809f11be4"/> <cybox:Observable idref="mandiant:observable-30e82aa9-a0d5-469f-88a5-14b1106f15b9"/> <cybox:Observable idref="mandiant:observable-a261b463-e03d-405c-9260-6cd5de908afb"/> <cybox:Observable idref="mandiant:observable-242ea7d1-556b-4a56-ae9e-944b933fc3c0"/> <cybox:Observable idref="mandiant:observable-3f6ecafc-9fc9-437a-9edb-d9d1b0d7b23c"/> <cybox:Observable idref="mandiant:observable-99c32c9c-63c1-490f-9547-c10c2d2d8e46"/> <cybox:Observable idref="mandiant:observable-facc86c9-b8bf-4440-aed7-37d672b86e85"/> <cybox:Observable idref="mandiant:observable-a0a57eb6-d65b-49e1-9335-bfd351967120"/> <cybox:Observable idref="mandiant:observable-c23e845f-0bc4-4c46-a5bf-918ba7e1d89d"/> <cybox:Observable idref="mandiant:observable-80a250a7-45f0-4906-8d3d-07740940cde3"/> <cybox:Observable idref="mandiant:observable-bbb0c823-f06d-40e6-adfb-f7777daaaf65"/> <cybox:Observable idref="mandiant:observable-730da6e4-d34c-4bfd-9737-eed179ad750f"/> <cybox:Observable idref="mandiant:observable-caca04e0-13a4-4da0-a13d-32bb8f0f5886"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-0ce55a11-041b-4b01-a044-02b5a57dade3"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-c5f4875f-bd83-4f49-8f91-a35c9f37d078"/> <cybox:Observable idref="mandiant:observable-21f4ecd5-0708-41d2-ab8e-584ccf623aab"/> <cybox:Observable idref="mandiant:observable-2d2ac7c3-8b41-4ae4-b423-aa23f82f08da"/> <cybox:Observable idref="mandiant:observable-61a178f2-df41-4921-83ae-a0dff5d58a03"/> <cybox:Observable id="mandiant:observable-cbf37728-0936-4a93-8446-407b9de0f085"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-a4f42eea-f620-43bc-bf44-1124dfbf725a"/> <cybox:Observable idref="mandiant:observable-35026c99-16ff-4f99-9e10-d711c69b46e4"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-2c514706-1920-4f97-a10e-e96036c281db"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-88212ea8-b9c0-436e-bcdf-bf0559c16570"/> <cybox:Observable idref="mandiant:observable-b266e711-b366-4beb-ac83-7e664f1da2fb"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-fafa4ad8-bd1f-4c90-ab77-3245995c5710"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-3bbbe3e2-7eda-44f1-b673-218d8fa55d3a"/> <cybox:Observable id="mandiant:observable-e5822acd-9628-429c-ad5e-358c3ca46ee0"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2db75f0e-3170-4717-88dd-8448d6e3d8ee"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-75cd59a2-c43a-4dfc-a61e-ec3213cbe528"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-b09a9afb-f9a4-4e0d-b431-710561899a19"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-e74c0a3f-fce3-4866-aa0b-b94692611fbe"/> <cybox:Observable idref="mandiant:observable-43ad4215-c7a6-47c4-882e-1bee62dce3ea"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-7f23053f-8954-4ad5-8825-b3f7e39190c5"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-1c29f192-3c04-4460-aeda-eba1d2eae6c1"/> <cybox:Observable idref="mandiant:observable-38fae862-37c4-4477-94dd-7ca59e25b702"/> <cybox:Observable idref="mandiant:observable-f6077161-29f9-49ef-b1a4-069cc33a5e36"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-44814488-7ac4-4889-831c-472012ebf55d"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-6e52337f-5ba6-44fd-a718-62c7cfa21ad5"/> <cybox:Observable idref="mandiant:observable-d5f12020-699e-43e9-b6c1-28da1e548ba2"/> <cybox:Observable idref="mandiant:observable-78463e6d-3b49-4c81-b2de-7c1e77ef59d1"/> <cybox:Observable id="mandiant:observable-6e78096d-4037-4450-984e-77e11f5df32b"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-28f31a01-8a90-4275-ab21-d7f62f100f02"/> <cybox:Observable idref="mandiant:observable-aa13179f-7b1e-42c7-b912-0fcbb536904e"/> <cybox:Observable idref="mandiant:observable-72fa8a43-78fa-458a-928a-d98a15b679ce"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-5bbfcb0d-7fc2-4b26-8084-5fba9ee5bd84"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-c2bc3a01-41b1-4324-b590-557d520c679e"/> <cybox:Observable id="mandiant:observable-453ed644-4710-4c8e-9e17-0a0cda0e0b94"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2501d25c-ae2c-459b-85ad-029eeae0b993"/> <cybox:Observable idref="mandiant:observable-9351f32d-0b46-4ec7-b65c-6ac7df141582"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-2f496eda-e86e-45ac-8e6d-de7b53079288"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-88e8261b-0f4c-4736-a653-e752453546d9"/> <cybox:Observable idref="mandiant:observable-5599fa3d-945a-4bf8-bef2-68fbc7c205be"/> <cybox:Observable idref="mandiant:observable-402db31f-c82c-443f-9d3a-a797e77ffd10"/> <cybox:Observable idref="mandiant:observable-10c51bbc-aab0-4143-8fb0-91b27a2688e9"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="c71b3305-85e5-4d51-b07c-ff227181fb5a" last-modified="2013-02-10T13:00:00"> <short_description>BANGAT (FAMILY)</short_description> <description>The BANGAT malware family shares a large amount of functionality with the AURIGA backdoor. The malware family contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. In addition, the malware also implements a custom VNC like protocol which sends screenshots of the desktop to the C2 server and accepts keyboard and mouse input. The malware communicates to its C2 servers using SSL, with self signed SSL certificates. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the "Microsoft corp" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">BANGAT</link> </links> <definition> <Indicator operator="OR" id="fe6cb826-5c1a-42ac-bd7d-d505e9e93e64"> <IndicatorItem id="38822ca2-da3c-4227-98d4-99f6e5ff0ecb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b631a3d832f7c22c26554711188f59c3</Content> </IndicatorItem> <IndicatorItem id="9d06abfc-7aa5-47de-94bd-6e7eed8b3e6f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">468ff2c12cffc7e5b2fe0ee6bb3b239e</Content> </IndicatorItem> <IndicatorItem id="c6e06654-0679-41f6-a20e-ffbbbd7a1f16" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">24f1b8266f4faf550999581bf0edac83</Content> </IndicatorItem> <IndicatorItem id="248ed2af-7364-4aa6-b538-2aa921ce7853" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cb3c5c3f53ecb2cb656fb0f4b8de03f6</Content> </IndicatorItem> <IndicatorItem id="21d16b13-0d58-49f0-b428-be6c85a0aab0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bf9aeefc53d97bb23d35d47986504cef</Content> </IndicatorItem> <IndicatorItem id="88f98414-fac5-4f39-ad01-4b53142fce0a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">25f240aed433c4ea52ccdb898e43756f</Content> </IndicatorItem> <IndicatorItem id="fee95377-eb3f-4430-aa6e-7e2c8595e0f5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a510d0c9b7930abaa7aa6b0ac294e675</Content> </IndicatorItem> <IndicatorItem id="e33113ac-7c7e-4018-ba18-ae2f2bada74f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1e48f6ba839d2c4794e23c10e5c4c138</Content> </IndicatorItem> <IndicatorItem id="5f00eab4-7366-4e1c-9aa5-a4038ff5d922" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">727a6800991eead454e53e8af164a99c</Content> </IndicatorItem> <IndicatorItem id="3b36e365-2e22-42a0-991a-b301bcd20167" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a807ad465b2fe5859c85626e97eaf907</Content> </IndicatorItem> <IndicatorItem id="bc4afa08-94a9-4396-b400-a5c4e48a690f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8e8622c393d7e832d39e620ead5d3b49</Content> </IndicatorItem> <IndicatorItem id="ab35a0d7-912c-450f-a408-10edba70b5a2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ef8e0fb20e7228c7492ccdc59d87c690</Content> </IndicatorItem> <IndicatorItem id="f70884aa-cefb-4118-b78a-ee530bb8b294" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">07ae235391f7b290ea3a35067239a290</Content> </IndicatorItem> <IndicatorItem id="4e11eed7-9abd-4d35-8444-16f8b63aafaa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">10a38dd9598cc31efe664cfaa8f37bf1</Content> </IndicatorItem> <IndicatorItem id="c39460ba-79a3-4b47-b982-08979b03ac34" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">df4da15796910690b05e393561b86fa1</Content> </IndicatorItem> <IndicatorItem id="0994c45a-1b81-4005-bf3f-2ce62953f5ad" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7d25a80fe2c42368adaea5fcbab866b6</Content> </IndicatorItem> <IndicatorItem id="f1e2829e-a167-4def-ac7d-9e6376bb8955" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1809c3cc93332d7bc0799238519a2938</Content> </IndicatorItem> <IndicatorItem id="551ab1c8-62fd-48fa-9123-36c80aa8d42f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">db05df0498b59b42a8e493cf3c10c578</Content> </IndicatorItem> <IndicatorItem id="6a94f445-c25d-465a-ba30-ee38f2c7da9b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">abcaf816de63c632ec23d6bda3f02bb5</Content> </IndicatorItem> <IndicatorItem id="e4e373d5-4db3-47fe-9bdd-f39df988efe8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4c6bddcca2695d6202df38708e14fc7e</Content> </IndicatorItem> <IndicatorItem id="86ce26a5-3591-4cb9-b59a-824f50c23e73" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f0bab119faa296c680a10ba81693915e</Content> </IndicatorItem> <IndicatorItem id="eb4a8a89-d8dc-415d-a71c-367ca9e73665" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1baa7f5813e259c6346d1b02a1370d75</Content> </IndicatorItem> <IndicatorItem id="ace22436-43cb-438e-981d-e3aaa5e769a4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">698fbe7ed1ddd7f5c76b86fad3f7a485</Content> </IndicatorItem> <IndicatorItem id="f5823e4c-44e5-4ac4-af09-cabc298dc45e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6ebbfa603aa4e90148ad0b726806c359</Content> </IndicatorItem> <IndicatorItem id="35be0a1d-546d-4caa-abaa-f865e7cb7ca1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">81ce61ed2dc567ce70589386563890ca</Content> </IndicatorItem> <IndicatorItem id="8dd03e58-b079-4e33-87e9-2d173383601c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e1b6940985a23e5639450f8391820655</Content> </IndicatorItem> <IndicatorItem id="2862b907-8108-45c2-96e8-5c67459fd3c3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bd402e910e03b70f00685d8b8be5093c</Content> </IndicatorItem> <IndicatorItem id="ca0f64b1-91ed-4ee1-89f7-7a24ab485cd2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">35008d12dfa47447112495f430e4aefe</Content> </IndicatorItem> <IndicatorItem id="f52198ec-5b13-4898-8171-119098c6c52e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c65617a4eedb8e0369ef8fe58ce20a02</Content> </IndicatorItem> <IndicatorItem id="b125df15-52a2-4e2d-bc85-8e968f829b1d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d74b169e98dd16d0f3af0dc770dffac0</Content> </IndicatorItem> <IndicatorItem id="29903d16-d5f1-408a-8d21-e76a6a4a8bf1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bd8b082b7711bc980252f988bb0ca936</Content> </IndicatorItem> <IndicatorItem id="67a6269e-6339-41af-ab77-6f9376989bb7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b3defdbd173738d44137f88a571647e1</Content> </IndicatorItem> <IndicatorItem id="8353402f-e63a-414e-9ab9-7e86bc6a780f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f4f8067d501bfef385274912d2a833b5</Content> </IndicatorItem> <IndicatorItem id="3bfba55a-068d-4349-9451-b234bffc7752" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">funtion_dll.dll</Content> </IndicatorItem> <IndicatorItem id="fae77798-ac64-4a36-b045-e502e7d0907c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">rasauto16.dll</Content> </IndicatorItem> <IndicatorItem id="18cafb49-fcb7-42a3-ac49-114471d6b60e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">AppMgmt32.dll</Content> </IndicatorItem> <IndicatorItem id="4605d882-3903-4bc1-a435-54afb15ab622" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">rasauto32.dll</Content> </IndicatorItem> <IndicatorItem id="88f71b56-0790-4c08-816a-a47899b19482" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">rasauto32.dll</Content> </IndicatorItem> <IndicatorItem id="2214462b-7913-4b2d-abaa-1e14f74648ce" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir"/> <Content type="string">rasauto32.dll</Content> </IndicatorItem> <IndicatorItem id="56ffcd1c-05e1-4fa8-b655-cd68cdd343d1" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">XriteProcessMemory</Content> </IndicatorItem> <IndicatorItem id="8f9e331a-6594-4952-abe9-4472a66cbf06" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">DreateRemoteThread</Content> </IndicatorItem> <IndicatorItem id="7578dbe1-d944-4787-973f-b4b96f1822a7" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">VrlDownloadCachedFile</Content> </IndicatorItem> <IndicatorItem id="381aaadd-99cb-4f5a-ba35-d34790b3cca8" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Internet Explorer Version: %ld.%ld, Build Number: %ld</Content> </IndicatorItem> <IndicatorItem id="f88d4cd8-11dc-423c-8c41-11555bb7e904" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">SCetFlAKCetDrcoy</Content> </IndicatorItem> <IndicatorItem id="7b901c8f-1f90-4218-bb8f-7eab99ba4de7" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Precent of used RAM: %ld%%</Content> </IndicatorItem> <IndicatorItem id="65db8863-394f-45b0-895a-f19d82aba765" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">UnServiceInstall</Content> </IndicatorItem> <Indicator operator="AND" id="050c112a-0d87-47d9-85da-0da2f65ce6b6"> <Indicator operator="OR" id="087779c6-e2c3-4651-8f6a-7c241b5dcb02"> <IndicatorItem id="3c3c3dbf-ef47-44cb-a0c3-94e86cb46a0c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Nwsapagent.dll</Content> </IndicatorItem> <IndicatorItem id="787c0145-fc03-49cf-93eb-243b13b48a0a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">irmon32.dll</Content> </IndicatorItem> <IndicatorItem id="0fb08469-f6f1-4c66-bc67-31c76b0aedeb" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svc.exe</Content> </IndicatorItem> <IndicatorItem id="063a8a6d-1c5f-4983-9dd6-789073a28d67" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ctfmon.exe</Content> </IndicatorItem> <IndicatorItem id="45f8cb0e-7cad-454a-99f7-b5f40436f434" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Update.exe</Content> </IndicatorItem> <IndicatorItem id="ab0dccc5-2ab2-4a0f-815b-90e8c29f64dc" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <IndicatorItem id="e2170e8e-0437-47cf-aac5-1fd90bdeb953" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">WINLOGON.EXE</Content> </IndicatorItem> <IndicatorItem id="beebab22-445f-4d29-bd65-98847863c5c0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 97% samples.</Comment> </IndicatorItem> <IndicatorItem id="bf2c5c0f-2416-469a-abd8-d5168ce018b9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 6% samples.</Comment> </IndicatorItem> <IndicatorItem id="35b9f095-5f44-4686-a19d-1f5ec89825e8" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_mismatch</Content> <Comment>PE Header Anomaly identified in 3% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="3ddf7901-92de-4f69-a969-fae710141a01"> <IndicatorItem id="49065513-2cbe-4139-8f2f-522859593006" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">102912</Content> </IndicatorItem> <IndicatorItem id="f5cd2c03-bf5a-4d91-a2d5-9425564c7ad0" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">598528</Content> </IndicatorItem> <IndicatorItem id="24f98694-f3b6-48f0-b57e-f04c3c394b5e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">642048</Content> </IndicatorItem> <IndicatorItem id="93a582c6-5653-44fd-85d2-840a546a9c1e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">645632</Content> </IndicatorItem> <IndicatorItem id="08b90e51-8472-48f8-bf2a-8c5b01a811a0" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">647168</Content> </IndicatorItem> <IndicatorItem id="618986ce-43a1-4f77-a639-f6812b90d059" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">647680</Content> </IndicatorItem> <IndicatorItem id="4b2254df-ca35-47b7-a1d6-e445d2d3983a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">668672</Content> </IndicatorItem> <IndicatorItem id="24d450aa-0ed1-423c-8b04-f7354ececee2" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">725504</Content> </IndicatorItem> <IndicatorItem id="3de7fcdd-2468-4fc1-849c-19422b0fb610" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">754176</Content> </IndicatorItem> <IndicatorItem id="7df638f2-2b8f-42cd-8302-87f1015b59af" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">762880</Content> </IndicatorItem> <IndicatorItem id="c888b9dc-cd7f-466b-8e57-a61d3b9b973e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">764416</Content> </IndicatorItem> <IndicatorItem id="7e6234ce-83d1-4d60-a5e9-013cdd61e3db" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">769024</Content> </IndicatorItem> <IndicatorItem id="b43f1e82-aa52-4c9a-913c-de8f16a355b8" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">769040</Content> </IndicatorItem> <IndicatorItem id="ec6dce46-94ef-4960-95d8-ac52fd27f0c4" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">778120</Content> </IndicatorItem> <IndicatorItem id="e21bb7d2-fd72-4e9f-889f-3d77034ae2a4" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">779264</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="3a64e82f-92ec-41e8-9d6b-40d1562dd97c"> <IndicatorItem id="793c3646-6a5b-4bf4-8988-1229253dd0ae" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-08-03T09:30:49Z</Content> </IndicatorItem> <IndicatorItem id="3f9a64d4-b613-4e74-8663-dc926488f9bf" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-12-08T02:58:21Z</Content> </IndicatorItem> <IndicatorItem id="3d1e2fca-0041-4e36-89b3-7e72109a341b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-02-03T08:22:33Z</Content> </IndicatorItem> <IndicatorItem id="a6d215a3-c982-470d-955f-a46809f11be4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-02-09T08:29:43Z</Content> </IndicatorItem> <IndicatorItem id="30e82aa9-a0d5-469f-88a5-14b1106f15b9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-04-20T03:39:27Z</Content> </IndicatorItem> <IndicatorItem id="a261b463-e03d-405c-9260-6cd5de908afb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-05-25T02:50:41Z</Content> </IndicatorItem> <IndicatorItem id="242ea7d1-556b-4a56-ae9e-944b933fc3c0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-06-22T14:06:54Z</Content> </IndicatorItem> <IndicatorItem id="3f6ecafc-9fc9-437a-9edb-d9d1b0d7b23c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-10-24T13:19:49Z</Content> </IndicatorItem> <IndicatorItem id="99c32c9c-63c1-490f-9547-c10c2d2d8e46" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-10-25T07:31:08Z</Content> </IndicatorItem> <IndicatorItem id="facc86c9-b8bf-4440-aed7-37d672b86e85" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-10-25T09:51:31Z</Content> </IndicatorItem> <IndicatorItem id="a0a57eb6-d65b-49e1-9335-bfd351967120" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-18T12:26:06Z</Content> </IndicatorItem> <IndicatorItem id="c23e845f-0bc4-4c46-a5bf-918ba7e1d89d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-12-17T03:39:52Z</Content> </IndicatorItem> <IndicatorItem id="80a250a7-45f0-4906-8d3d-07740940cde3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-01-11T03:22:02Z</Content> </IndicatorItem> <IndicatorItem id="bbb0c823-f06d-40e6-adfb-f7777daaaf65" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-19T09:16:10Z</Content> </IndicatorItem> <IndicatorItem id="730da6e4-d34c-4bfd-9737-eed179ad750f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-19T09:19:09Z</Content> </IndicatorItem> <IndicatorItem id="caca04e0-13a4-4da0-a13d-32bb8f0f5886" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-07T14:59:20Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="0ce55a11-041b-4b01-a044-02b5a57dade3"> <IndicatorItem id="c5f4875f-bd83-4f49-8f91-a35c9f37d078" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir"/> <Content type="string">Remote Access AutoDial Manager</Content> </IndicatorItem> <IndicatorItem id="21f4ecd5-0708-41d2-ab8e-584ccf623aab" condition="isnot"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">rasauto.dll</Content> </IndicatorItem> <IndicatorItem id="2d2ac7c3-8b41-4ae4-b423-aa23f82f08da" condition="containsnot"> <Context document="FileItem" search="FileItem/FilePath" type="mir"/> <Content type="string">System Volume Information</Content> </IndicatorItem> <IndicatorItem id="61a178f2-df41-4921-83ae-a0dff5d58a03" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DigitalSignature/SignatureVerified" type="mir"/> <Content type="string">False</Content> </IndicatorItem> <Indicator operator="OR" id="cbf37728-0936-4a93-8446-407b9de0f085"> <IndicatorItem id="a4f42eea-f620-43bc-bf44-1124dfbf725a" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">rasauto</Content> </IndicatorItem> <IndicatorItem id="35026c99-16ff-4f99-9e10-d711c69b46e4" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir"/> <Content type="string">rasauto</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="2c514706-1920-4f97-a10e-e96036c281db"> <IndicatorItem id="88212ea8-b9c0-436e-bcdf-bf0559c16570" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">mc_dll.dll</Content> </IndicatorItem> <IndicatorItem id="b266e711-b366-4beb-ac83-7e664f1da2fb" condition="isnot"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">mc_dll.dll</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="233ff4f3-00fd-41eb-b1f4-7c91ad9ac0b5"> <IndicatorItem id="6fb347dc-f77c-4a1d-966f-e2531ceabf16" condition="is"> <Context document="ServiceItem" search="ServiceItem/serviceDLLSignatureVerified" type="mir"/> <Content type="string">False</Content> </IndicatorItem> <Indicator operator="OR" id="5acdea98-225d-4fcd-bae3-4ebfe280375c"> <IndicatorItem id="f66bc8e1-2eef-4154-a796-0550509e9956" condition="is"> <Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir"/> <Content type="string">Infrared Monitor</Content> </IndicatorItem> <IndicatorItem id="b96aa030-1a84-4002-a308-e0af47f2a9d5" condition="is"> <Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir"/> <Content type="string">Gateway Service for Netware</Content> </IndicatorItem> <IndicatorItem id="243635e3-891a-4897-b7e7-20c5b1fa7826" condition="is"> <Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir"/> <Content type="string">Remote Access Auto Connection Manager</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="fafa4ad8-bd1f-4c90-ab77-3245995c5710"> <IndicatorItem id="3bbbe3e2-7eda-44f1-b673-218d8fa55d3a" condition="isnot"> <Context document="ServiceItem" search="ServiceItem/name" type="mir"/> <Content type="string">rasauto</Content> </IndicatorItem> <Indicator operator="OR" id="e5822acd-9628-429c-ad5e-358c3ca46ee0"> <IndicatorItem id="00e329d3-4ec7-4e33-a75a-e7f3b907d72d" condition="is"> <Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir"/> <Content type="string">Remote Access Auto Connection Manager</Content> </IndicatorItem> <IndicatorItem id="2db75f0e-3170-4717-88dd-8448d6e3d8ee" condition="is"> <Context document="ServiceItem" search="ServiceItem/description" type="mir"/> <Content type="string">Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="75cd59a2-c43a-4dfc-a61e-ec3213cbe528"> <Indicator operator="OR" id="b09a9afb-f9a4-4e0d-b431-710561899a19"> <IndicatorItem id="e74c0a3f-fce3-4866-aa0b-b94692611fbe" condition="is"> <Context document="RegistryItem" search="RegistryItem/ValueName" type="mir"/> <Content type="string">dwLowDateTime</Content> </IndicatorItem> <IndicatorItem id="43ad4215-c7a6-47c4-882e-1bee62dce3ea" condition="is"> <Context document="RegistryItem" search="RegistryItem/ValueName" type="mir"/> <Content type="string">dwHighDateTime</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="7f23053f-8954-4ad5-8825-b3f7e39190c5"> <IndicatorItem id="1c29f192-3c04-4460-aeda-eba1d2eae6c1" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">SOFTWARE\Microsoft\Time</Content> </IndicatorItem> <IndicatorItem id="38fae862-37c4-4477-94dd-7ca59e25b702" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">SOFTWARE\Time</Content> </IndicatorItem> <IndicatorItem id="f6077161-29f9-49ef-b1a4-069cc33a5e36" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">SOFTWARE\uinux</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="44814488-7ac4-4889-831c-472012ebf55d"> <IndicatorItem id="6e52337f-5ba6-44fd-a718-62c7cfa21ad5" condition="containsnot"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cmd.exe</Content> </IndicatorItem> <IndicatorItem id="d5f12020-699e-43e9-b6c1-28da1e548ba2" condition="containsnot"> <Context document="FileItem" search="FileItem/FilePath" type="mir"/> <Content type="string">System Volume Information</Content> </IndicatorItem> <IndicatorItem id="78463e6d-3b49-4c81-b2de-7c1e77ef59d1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Type" type="mir"/> <Content type="string">Executable</Content> </IndicatorItem> <Indicator operator="OR" id="6e78096d-4037-4450-984e-77e11f5df32b"> <IndicatorItem id="28f31a01-8a90-4275-ab21-d7f62f100f02" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir"/> <Content type="string">Windows Command Processor</Content> </IndicatorItem> <IndicatorItem id="aa13179f-7b1e-42c7-b912-0fcbb536904e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">cmd.exe</Content> </IndicatorItem> <IndicatorItem id="72fa8a43-78fa-458a-928a-d98a15b679ce" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir"/> <Content type="string">cmd</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="5bbfcb0d-7fc2-4b26-8084-5fba9ee5bd84"> <IndicatorItem id="c2bc3a01-41b1-4324-b590-557d520c679e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">cmd.exe</Content> </IndicatorItem> <Indicator operator="OR" id="453ed644-4710-4c8e-9e17-0a0cda0e0b94"> <IndicatorItem id="2501d25c-ae2c-459b-85ad-029eeae0b993" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">mdm.exe</Content> </IndicatorItem> <IndicatorItem id="9351f32d-0b46-4ec7-b65c-6ac7df141582" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ati.exe</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="2f496eda-e86e-45ac-8e6d-de7b53079288"> <IndicatorItem id="88e8261b-0f4c-4736-a653-e752453546d9" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright" type="mir"/> <Content type="string">superhard corp</Content> </IndicatorItem> <IndicatorItem id="5599fa3d-945a-4bf8-bef2-68fbc7c205be" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName" type="mir"/> <Content type="string">superhard corp</Content> </IndicatorItem> <IndicatorItem id="402db31f-c82c-443f-9d3a-a797e77ffd10" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright" type="mir"/> <Content type="string">LinuxSoft corp</Content> </IndicatorItem> <IndicatorItem id="10c51bbc-aab0-4143-8fb0-91b27a2688e9" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName" type="mir"/> <Content type="string">LinuxSoft corp</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-21bf65fc-6b48-4f89-91bd-cd2e413a4c0b"> <indicator:Title>WEBC2-GREENCAT (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware is a variant on the GREENCAT family, using a fixed web C2. This family is a full featured backdoor which provides remote command execution, file transfer, process and service enumeration and manipulation. It installs itself persistently through the current user's registry Run key. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2cd52238-d7d3-408a-ba09-a63a95ae160e"/> <cybox:Observable idref="mandiant:observable-0b7a4f20-da90-4af7-8f9d-7c0c44e889c9"/> <cybox:Observable idref="mandiant:observable-a616730f-e5e6-4978-afc5-cf787245c676"/> <cybox:Observable idref="mandiant:observable-f8242e9c-fd45-4f9e-bb97-f46b70f9bdef"/> <cybox:Observable idref="mandiant:observable-73b8ab0a-ee16-4f76-8e25-bf5c03d24ed9"/> <cybox:Observable idref="mandiant:observable-e8b51a63-4891-45e3-9d89-f41659e80034"/> <cybox:Observable idref="mandiant:observable-05135d31-a7a2-48f5-a611-78659f78fed1"/> <cybox:Observable id="mandiant:observable-e14a9a56-a8b8-42db-b8b1-4b18316edbc2"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-18ca68c7-0226-4e7e-a390-cfea1954abe1"/> <cybox:Observable id="mandiant:observable-9c2799be-c29e-4395-b0f8-01b3bc7ff28d"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-b4835458-5f6d-43c1-871f-3ee59a1dfa74"/> <cybox:Observable idref="mandiant:observable-aba45806-0d84-43e9-a0a5-4dc2cfb8d1de"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-e58c64c7-97f1-4654-ba35-78b6f5398724"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-68c33374-5541-4c3f-9504-35688581fba7"/> <cybox:Observable idref="mandiant:observable-f34f5cc3-6bf6-42c6-9717-3b1534689dca"/> <cybox:Observable idref="mandiant:observable-c722f004-cc1e-41e4-9a42-50a91ca3ee13"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-3134f131-1d6f-4a53-94ad-c1808fd287be"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-77f453bc-6e1d-4702-87e0-bfcf737cfae2"/> <cybox:Observable idref="mandiant:observable-5523678d-401c-4b68-aadc-180bca8a43ea"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="c7fa2ea5-36d5-4a52-a6cf-ddc2257cb6f9" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-GREENCAT (FAMILY)</short_description> <description>A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware is a variant on the GREENCAT family, using a fixed web C2. This family is a full featured backdoor which provides remote command execution, file transfer, process and service enumeration and manipulation. It installs itself persistently through the current user's registry Run key.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">WEBC2-GREENCAT</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="21bf65fc-6b48-4f89-91bd-cd2e413a4c0b"> <IndicatorItem id="2cd52238-d7d3-408a-ba09-a63a95ae160e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1ce4605e771a04e375e0d1083f183e8e</Content> </IndicatorItem> <IndicatorItem id="0b7a4f20-da90-4af7-8f9d-7c0c44e889c9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ba0c4d3dbf07d407211b5828405a9b91</Content> </IndicatorItem> <IndicatorItem id="a616730f-e5e6-4978-afc5-cf787245c676" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">55fb1409170c91740359d1d96364f17b</Content> </IndicatorItem> <IndicatorItem id="f8242e9c-fd45-4f9e-bb97-f46b70f9bdef" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">36c0d3f109aede4d76b05431f8a64f9e</Content> </IndicatorItem> <IndicatorItem id="73b8ab0a-ee16-4f76-8e25-bf5c03d24ed9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2bdc196cdac4478ae325c94bab433732</Content> </IndicatorItem> <IndicatorItem id="e8b51a63-4891-45e3-9d89-f41659e80034" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e54ce5f0112c9fdfe86db17e85a5e2c5</Content> </IndicatorItem> <IndicatorItem id="05135d31-a7a2-48f5-a611-78659f78fed1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e83f60fb0e0396ea309faf0aed64e53f</Content> </IndicatorItem> <Indicator operator="AND" id="e14a9a56-a8b8-42db-b8b1-4b18316edbc2"> <IndicatorItem id="18ca68c7-0226-4e7e-a390-cfea1954abe1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-02-05T07:14:01Z</Content> </IndicatorItem> <Indicator operator="OR" id="9c2799be-c29e-4395-b0f8-01b3bc7ff28d"> <IndicatorItem id="b4835458-5f6d-43c1-871f-3ee59a1dfa74" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">17408</Content> </IndicatorItem> <IndicatorItem id="aba45806-0d84-43e9-a0a5-4dc2cfb8d1de" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">20480</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="e58c64c7-97f1-4654-ba35-78b6f5398724"> <IndicatorItem id="68c33374-5541-4c3f-9504-35688581fba7" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">reader_sl.exe</Content> </IndicatorItem> <IndicatorItem id="f34f5cc3-6bf6-42c6-9717-3b1534689dca" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wuauclt.exe</Content> </IndicatorItem> <IndicatorItem id="c722f004-cc1e-41e4-9a42-50a91ca3ee13" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>anomaly found in 100% of samples</Comment> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="3134f131-1d6f-4a53-94ad-c1808fd287be"> <IndicatorItem id="77f453bc-6e1d-4702-87e0-bfcf737cfae2" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir"/> <Content type="string">Mutant</Content> </IndicatorItem> <IndicatorItem id="5523678d-401c-4b68-aadc-180bca8a43ea" condition="is"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">ADR32</Content> <Comment>mutex routinely created by this family of malware</Comment> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-d2acafe2-2f6a-4102-b96c-ba12300e6d7c"> <indicator:Title>WEBC2-ADSPACE (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is capable of downloading and executing a file. All variants represented here are the same file with different MD5 signatures. This malware attempts to contact its C2 once a week (Thursday at 10:00 AM). It looks for commands inside a set of HTML tags, part of which are in the File Strings indicator term below. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-40d39716-f0bb-4360-a1f7-4c487a544e52"/> <cybox:Observable idref="mandiant:observable-db0b3904-e4ce-4ba7-b78a-997dfc7294ad"/> <cybox:Observable idref="mandiant:observable-4e906014-3f3f-4195-a4d7-9692af02c769"/> <cybox:Observable idref="mandiant:observable-f68e07c1-84f1-4adb-993b-e30623d2b0a2"/> <cybox:Observable id="mandiant:observable-5a8b3235-c0ab-4c40-a8c6-43f2231c74ac"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-baea7191-c99c-41cb-b77a-9613e0862c4d"/> <cybox:Observable idref="mandiant:observable-9691e34e-db47-43c8-a10c-9fca493c2f08"/> <cybox:Observable idref="mandiant:observable-ab0da8b0-a378-49b0-8988-ac306a0e300d"/> <cybox:Observable idref="mandiant:observable-692dd347-aa8a-4c5e-ae11-992ab92c25bd"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-2c600a2f-3ee3-485a-b82f-b4cf6b5e3068"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-58675ee5-ecfd-4f82-8141-852229abc057"/> <cybox:Observable idref="mandiant:observable-429aca10-0269-475e-83fc-178768f88cd1"/> <cybox:Observable idref="mandiant:observable-197c2433-0ff1-4e12-8523-552090491d32"/> <cybox:Observable idref="mandiant:observable-7a2fdbf8-7995-441a-95f5-3aed2db1e4ed"/> <cybox:Observable idref="mandiant:observable-29888eb8-ce8e-4548-bdca-7e6bbc145a7e"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="d14d5f09-9050-4769-b00d-30fce9e6eb85" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-ADSPACE (FAMILY)</short_description> <description>A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is capable of downloading and executing a file. All variants represented here are the same file with different MD5 signatures. This malware attempts to contact its C2 once a week (Thursday at 10:00 AM). It looks for commands inside a set of HTML tags, part of which are in the File Strings indicator term below.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">WEBC2-ADSPACE</link> <link rel="threatgroup">APT1</link> <link rel="family">APT</link> <link rel="category">Backdoor</link> </links> <definition> <Indicator operator="OR" id="d2acafe2-2f6a-4102-b96c-ba12300e6d7c"> <IndicatorItem id="40d39716-f0bb-4360-a1f7-4c487a544e52" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ab00b38179851c8aa3f9bc80ed7baa23</Content> </IndicatorItem> <IndicatorItem id="db0b3904-e4ce-4ba7-b78a-997dfc7294ad" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8dc3561ca52bfe40089f3ee0af7fdd9d</Content> </IndicatorItem> <IndicatorItem id="4e906014-3f3f-4195-a4d7-9692af02c769" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">05cc052686fbdf25fb610c1fe120195f</Content> </IndicatorItem> <IndicatorItem id="f68e07c1-84f1-4adb-993b-e30623d2b0a2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">76f6c7301dbf0219eae991d65804292a</Content> </IndicatorItem> <IndicatorItem id="1ef7ea41-333d-48fe-bfd4-25f3261a8772" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">!---HEADER ADSPACE style=</Content> <Comment>unique string containing delimiter for C2 information</Comment> </IndicatorItem> <Indicator operator="AND" id="5a8b3235-c0ab-4c40-a8c6-43f2231c74ac"> <IndicatorItem id="baea7191-c99c-41cb-b77a-9613e0862c4d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <IndicatorItem id="9691e34e-db47-43c8-a10c-9fca493c2f08" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ersvc.dll</Content> </IndicatorItem> <IndicatorItem id="ab0da8b0-a378-49b0-8988-ac306a0e300d" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">7168</Content> </IndicatorItem> <IndicatorItem id="692dd347-aa8a-4c5e-ae11-992ab92c25bd" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-20T08:33:01Z</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="2c600a2f-3ee3-485a-b82f-b4cf6b5e3068"> <IndicatorItem id="58675ee5-ecfd-4f82-8141-852229abc057" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">svchostdll.dll</Content> <Comment>unique DLL export found in this family of malware</Comment> </IndicatorItem> <IndicatorItem id="429aca10-0269-475e-83fc-178768f88cd1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">Mcdl</Content> </IndicatorItem> <IndicatorItem id="197c2433-0ff1-4e12-8523-552090491d32" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">ProceA</Content> </IndicatorItem> <IndicatorItem id="7a2fdbf8-7995-441a-95f5-3aed2db1e4ed" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">ServiceMain</Content> </IndicatorItem> <IndicatorItem id="29888eb8-ce8e-4548-bdca-7e6bbc145a7e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/NumberOfFunctions" type="mir"/> <Content type="int">3</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-f668a9bf-4b6a-4f88-a5e0-3177dd01dcc8"> <indicator:Title>TARSIP-ECLIPSE (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-ECLIPSE family is distinguished by the presence of 'eclipse' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-16859489-bf90-4c44-b6f1-1146258871c2"/> <cybox:Observable idref="mandiant:observable-f1053374-a3b6-41c1-bbd0-e9b9e92b5a97"/> <cybox:Observable idref="mandiant:observable-516c2663-5851-4c26-aba0-46d0dc1753e2"/> <cybox:Observable idref="mandiant:observable-2bcaef53-b39e-4a60-8a68-bb8a187f5348"/> <cybox:Observable idref="mandiant:observable-52374985-61b0-488c-8604-81041f214bda"/> <cybox:Observable idref="mandiant:observable-bc9243b2-205d-4b7b-8a5d-1b2eadb493db"/> <cybox:Observable idref="mandiant:observable-4f414936-b5f0-48cf-a86d-64f25490e994"/> <cybox:Observable idref="mandiant:observable-a6e92acd-e501-4fcf-97fa-70279caf4281"/> <cybox:Observable idref="mandiant:observable-1fce39bd-9034-48b0-9c5a-f4014b288fc6"/> <cybox:Observable idref="mandiant:observable-d799b3b2-65f7-475c-ac3a-2de5848bda51"/> <cybox:Observable idref="mandiant:observable-f5dcbb05-92dc-49db-a75b-30147a473fde"/> <cybox:Observable idref="mandiant:observable-505a3b18-1ccb-4053-b97d-73098706731d"/> <cybox:Observable idref="mandiant:observable-8c43952d-d204-466b-9245-afcd5aa28a78"/> <cybox:Observable idref="mandiant:observable-366e97fa-a5e0-48c1-b7e1-5b52287ee306"/> <cybox:Observable idref="mandiant:observable-06d1a19f-dda5-47b8-85f2-7b12e29bcbb5"/> <cybox:Observable idref="mandiant:observable-62cf077f-d030-4137-aae3-09816bf2ef61"/> <cybox:Observable idref="mandiant:observable-c1c28821-0670-4e5c-8c20-c66b047fb24a"/> <cybox:Observable idref="mandiant:observable-f8125fae-93dd-4c74-90b9-a4ed878bf0a3"/> <cybox:Observable idref="mandiant:observable-82ab7c92-d254-489e-9163-1610b73fa4b5"/> <cybox:Observable idref="mandiant:observable-6778068c-cbcc-425d-a972-e06417e8cfe8"/> <cybox:Observable idref="mandiant:observable-4a7bd981-b6ca-408b-b494-990fad2395a4"/> <cybox:Observable idref="mandiant:observable-abc6ce39-f145-4e87-b66a-bcf43f549543"/> <cybox:Observable idref="mandiant:observable-31e7a16d-16ae-4cf9-b009-488616960e6b"/> <cybox:Observable idref="mandiant:observable-466c38cb-fb4e-4ba7-b240-9669f18e5a69"/> <cybox:Observable idref="mandiant:observable-c31874e1-7a11-4880-ab82-06d1caabc127"/> <cybox:Observable idref="mandiant:observable-40ed1d0d-d8ce-424b-a0cc-12a91e967667"/> <cybox:Observable idref="mandiant:observable-f677abab-b01b-4fce-b816-ae445a06f3cf"/> <cybox:Observable idref="mandiant:observable-1f03140b-a1ba-404d-87da-dc056f38b2c2"/> <cybox:Observable idref="mandiant:observable-ee46fcd4-3db7-43d9-982e-c1f355cb8a2d"/> <cybox:Observable idref="mandiant:observable-3e11f44a-a281-402e-94fa-2c5b5e11afc8"/> <cybox:Observable idref="mandiant:observable-105ba0b5-98ff-4ec0-9924-8e2d9aea9ae5"/> <cybox:Observable idref="mandiant:observable-ff34011f-82fc-4724-a777-72dcb9b71669"/> <cybox:Observable idref="mandiant:observable-6df46401-4584-4a71-80e7-a4bfae13af47"/> <cybox:Observable idref="mandiant:observable-dbe6656d-7fb5-4eb6-8af4-55090729346d"/> <cybox:Observable idref="mandiant:observable-4922ceda-a600-4d77-b0fb-da22546dfbf1"/> <cybox:Observable idref="mandiant:observable-0e5cade4-6142-45f8-9352-e6b2135ef855"/> <cybox:Observable idref="mandiant:observable-9c48ccf0-88cb-4deb-b6c9-6bcbd9b5cfce"/> <cybox:Observable id="mandiant:observable-34f04118-954b-4a0e-b5ec-fa35295728b5"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-27f96c28-2b32-4fde-a6fc-83c70c8cb85f"/> <cybox:Observable id="mandiant:observable-d183331e-bc84-4b62-a690-2f95e2dc726a"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-b659bc12-8ce3-4bb4-b860-ff1ac8481f1b"/> <cybox:Observable idref="mandiant:observable-06f2180a-cd95-4b07-a11f-1505119796ce"/> <cybox:Observable idref="mandiant:observable-3dfadc75-39ee-4caa-bf0f-419bc2cba91e"/> <cybox:Observable idref="mandiant:observable-4f3c9762-9c28-4c44-a5a1-100451d94db8"/> <cybox:Observable idref="mandiant:observable-d900959c-d0a2-4b9e-bd52-dc37a15b0384"/> <cybox:Observable idref="mandiant:observable-458e871a-f71f-4951-9913-6ddd05d05187"/> <cybox:Observable idref="mandiant:observable-09378fd1-d8c0-4776-979b-5bd9edf3c4ee"/> <cybox:Observable idref="mandiant:observable-037141d8-7bf5-49f6-bcbb-593c95a93afa"/> <cybox:Observable idref="mandiant:observable-6bc51ce5-9ffc-45c4-9ace-434e971d01af"/> <cybox:Observable idref="mandiant:observable-4b572912-d252-459a-a96b-c3831577f5a1"/> <cybox:Observable idref="mandiant:observable-664d4ff1-4b8b-4b8a-b1e2-984468b91124"/> <cybox:Observable idref="mandiant:observable-b9f5122c-69f7-476c-92c8-98f938680b24"/> <cybox:Observable idref="mandiant:observable-c4a48724-3122-4808-9d81-5aec50f4f353"/> <cybox:Observable idref="mandiant:observable-e6f1a8e1-9e63-4b79-adce-632afe00b852"/> <cybox:Observable idref="mandiant:observable-be895f16-33ac-43bd-bf12-27ec9bf99bce"/> <cybox:Observable idref="mandiant:observable-b21afd11-b416-44b4-abb9-c23227c3849d"/> <cybox:Observable idref="mandiant:observable-5c21d3cf-36df-4aad-aadd-025251e3afc5"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-8fcbaef3-1374-4b6a-ab0c-4b5ab827fe25"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-30d502b3-8ff5-4b49-b914-41cfdeb3e33d"/> <cybox:Observable idref="mandiant:observable-bda0241d-f41b-4732-87eb-212ee38f4d4c"/> <cybox:Observable idref="mandiant:observable-b33d4d1a-36fb-4a78-b30b-c90144b27fff"/> <cybox:Observable idref="mandiant:observable-47c15c0a-2e85-4a51-9cd7-8e5c7e090c13"/> <cybox:Observable idref="mandiant:observable-88c052a4-aeca-4bbe-910f-4a4e985b19c1"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-087f48c5-b716-4b3f-9383-4d8343543777"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-9fdf7436-dcfc-44e6-9682-ede1a904a8d6"/> <cybox:Observable idref="mandiant:observable-9f8e1195-cfd8-4758-a0ab-0662f8a25153"/> <cybox:Observable idref="mandiant:observable-9efb7d6a-9e86-4e8a-a7fa-3506bddcb11f"/> <cybox:Observable idref="mandiant:observable-cec0f07a-1b8a-4808-a01a-30831ec6f1b9"/> <cybox:Observable idref="mandiant:observable-0afb9eab-d49c-4d0e-a92c-22c3c2fe68fd"/> <cybox:Observable idref="mandiant:observable-1805fcba-aa2c-4ba3-8af3-799ef76ef233"/> <cybox:Observable idref="mandiant:observable-e673611e-0a91-4ee6-b1f2-e050786b86b1"/> <cybox:Observable idref="mandiant:observable-8f20a71d-fdc8-4c62-8653-2d5a47b47538"/> <cybox:Observable idref="mandiant:observable-860cd4de-858f-4377-a0f1-5547528449b2"/> <cybox:Observable idref="mandiant:observable-c1cee7fc-1445-4b83-aa8a-a4fe201242be"/> <cybox:Observable idref="mandiant:observable-fe64f26b-93c6-47d5-b07c-53e80dda5d71"/> <cybox:Observable idref="mandiant:observable-f2291c9a-18a2-462e-bce3-647ec6553c33"/> <cybox:Observable idref="mandiant:observable-ddfdb883-32b5-4291-a2c8-a56f4591d23c"/> <cybox:Observable idref="mandiant:observable-741c5c64-4c0d-4a88-9094-dc0fbeb83b52"/> <cybox:Observable idref="mandiant:observable-25aec029-7e15-4c9c-8292-cea5e05b811d"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-71de9281-517e-4240-b638-9996c6dcadc5"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-cc257cdc-fdfe-45ba-b86a-14ebf3372169"/> <cybox:Observable idref="mandiant:observable-cd2333fb-5078-4da7-ae4d-89245496790b"/> <cybox:Observable idref="mandiant:observable-e3cb60ae-ea22-4747-a006-713e432bcb61"/> <cybox:Observable idref="mandiant:observable-635fd8ae-d31f-4df1-8150-7f05d92bf25c"/> <cybox:Observable idref="mandiant:observable-c5aeccc1-a893-433c-abb9-7614e0db2ca0"/> <cybox:Observable idref="mandiant:observable-ce72d543-62fc-42f2-ad7f-66af65afe283"/> <cybox:Observable idref="mandiant:observable-bd4632c6-db72-43f7-b310-528a092f1c2c"/> <cybox:Observable idref="mandiant:observable-a286532e-fc8e-4536-bd96-2a40f71f214c"/> <cybox:Observable idref="mandiant:observable-fbebb317-e18c-4200-b0bd-2053a37a05f5"/> <cybox:Observable idref="mandiant:observable-9d09ab31-9629-4ee8-ba2d-95a4005c36f7"/> <cybox:Observable idref="mandiant:observable-8a8f3581-1eb8-4ccf-a10b-08713124835c"/> <cybox:Observable idref="mandiant:observable-f3a7a07d-0cc9-4283-92b7-18fd91ea48ee"/> <cybox:Observable idref="mandiant:observable-fd7efdda-4cc9-472d-b5c9-d1630c9699ee"/> <cybox:Observable idref="mandiant:observable-bea2fd16-a0c1-4172-bfd1-d9eb4ac5bfce"/> <cybox:Observable idref="mandiant:observable-7a1efd44-7c2c-465f-bcc3-683cbce315fa"/> <cybox:Observable idref="mandiant:observable-afa87e92-cfe2-42b9-9287-e5c555a4252c"/> <cybox:Observable idref="mandiant:observable-a548aa9a-a6d2-40bf-9f59-7757252a18d5"/> <cybox:Observable idref="mandiant:observable-bfbb6695-1a79-45d8-963a-4b586550f7c8"/> <cybox:Observable idref="mandiant:observable-9193beaa-8f85-4dc9-aac8-530a8fa438d0"/> <cybox:Observable idref="mandiant:observable-59a72444-46ab-4760-847f-a88b883079c5"/> <cybox:Observable id="mandiant:observable-0756e01a-1c8f-42d1-adcc-1f486df1d185"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2c1d1562-23b0-48fe-89db-70d82bb6eaa0"/> <cybox:Observable idref="mandiant:observable-93ad3a5e-5c01-44c8-b126-e3aa33fe9b50"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="d1c65316-cddd-4d9c-8efe-c539aa5965c0" last-modified="2013-02-10T13:00:00"> <short_description>TARSIP-ECLIPSE (FAMILY)</short_description> <description>The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-ECLIPSE family is distinguished by the presence of 'eclipse' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">TARSIP-ECLIPSE</link> </links> <definition> <Indicator operator="OR" id="f668a9bf-4b6a-4f88-a5e0-3177dd01dcc8"> <IndicatorItem id="16859489-bf90-4c44-b6f1-1146258871c2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">775459afc5415984dfa2a0f533011763</Content> </IndicatorItem> <IndicatorItem id="f1053374-a3b6-41c1-bbd0-e9b9e92b5a97" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">17f6602f1c507b006b9d09eedcde0096</Content> </IndicatorItem> <IndicatorItem id="516c2663-5851-4c26-aba0-46d0dc1753e2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6eb99bed5b5fcb3fdb26f37aff2c9adb</Content> </IndicatorItem> <IndicatorItem id="2bcaef53-b39e-4a60-8a68-bb8a187f5348" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">eb0c8b05ee6a4334f45968cf45656597</Content> </IndicatorItem> <IndicatorItem id="52374985-61b0-488c-8604-81041f214bda" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f9ed623f13481da16a97aeacdca646dc</Content> </IndicatorItem> <IndicatorItem id="bc9243b2-205d-4b7b-8a5d-1b2eadb493db" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a34234a27157851300d9b698f6c56d9a</Content> </IndicatorItem> <IndicatorItem id="4f414936-b5f0-48cf-a86d-64f25490e994" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">830e5cd6d590aa65dd3e2c1a01b42259</Content> </IndicatorItem> <IndicatorItem id="a6e92acd-e501-4fcf-97fa-70279caf4281" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">46817cabd6618d2126067430a78f06a3</Content> </IndicatorItem> <IndicatorItem id="1fce39bd-9034-48b0-9c5a-f4014b288fc6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">06598b0490133815541c5ac023623e82</Content> </IndicatorItem> <IndicatorItem id="d799b3b2-65f7-475c-ac3a-2de5848bda51" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">123505024f9e5ff74cb6aa67d7fcc392</Content> </IndicatorItem> <IndicatorItem id="f5dcbb05-92dc-49db-a75b-30147a473fde" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">03ae71eba61af2d497e226da3954f3af</Content> </IndicatorItem> <IndicatorItem id="505a3b18-1ccb-4053-b97d-73098706731d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0b506c6dde8d07f9eeb82fd01a6f97d4</Content> </IndicatorItem> <IndicatorItem id="8c43952d-d204-466b-9245-afcd5aa28a78" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4a54d7878d4170c3d4e3c3606365c42c</Content> </IndicatorItem> <IndicatorItem id="366e97fa-a5e0-48c1-b7e1-5b52287ee306" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d9fb6620e4402764bbf2088de02898ca</Content> </IndicatorItem> <IndicatorItem id="06d1a19f-dda5-47b8-85f2-7b12e29bcbb5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">61daab56e07dfa3a236d8aec9eb80545</Content> </IndicatorItem> <IndicatorItem id="62cf077f-d030-4137-aae3-09816bf2ef61" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">50a3aaaebae6cee7ecb150ac395276b9</Content> </IndicatorItem> <IndicatorItem id="c1c28821-0670-4e5c-8c20-c66b047fb24a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">41d623c1de3b0d182c51e56b2a3f3fba</Content> </IndicatorItem> <IndicatorItem id="f8125fae-93dd-4c74-90b9-a4ed878bf0a3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a1468ce16f2d17979cc1a61878c1c8c6</Content> </IndicatorItem> <IndicatorItem id="82ab7c92-d254-489e-9163-1610b73fa4b5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a6725f263daf3e94adc3668751b909d0</Content> </IndicatorItem> <IndicatorItem id="6778068c-cbcc-425d-a972-e06417e8cfe8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b6f2f483e03b9399f055a1ba5e0713a4</Content> </IndicatorItem> <IndicatorItem id="4a7bd981-b6ca-408b-b494-990fad2395a4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8934aeed5d213fe29e858eee616a6ec7</Content> </IndicatorItem> <IndicatorItem id="abc6ce39-f145-4e87-b66a-bcf43f549543" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fdef1329ae626656c8389f82c4f9ad38</Content> </IndicatorItem> <IndicatorItem id="31e7a16d-16ae-4cf9-b009-488616960e6b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a6117891e42ee7db36253b57839c8b8f</Content> </IndicatorItem> <IndicatorItem id="466c38cb-fb4e-4ba7-b240-9669f18e5a69" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a2feee5e0ac3f825d4b7de7e0b95bb1f</Content> </IndicatorItem> <IndicatorItem id="c31874e1-7a11-4880-ab82-06d1caabc127" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4f763b07a7b8a80f1f9408e590f79532</Content> </IndicatorItem> <IndicatorItem id="40ed1d0d-d8ce-424b-a0cc-12a91e967667" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ca327bc83fbe38b3689cd1a5505dfc33</Content> </IndicatorItem> <IndicatorItem id="f677abab-b01b-4fce-b816-ae445a06f3cf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2976a62c2a829a153a9b0b5f433bdc77</Content> </IndicatorItem> <IndicatorItem id="1f03140b-a1ba-404d-87da-dc056f38b2c2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cb15768a3e5c86d22289dcefec56d8a2</Content> </IndicatorItem> <IndicatorItem id="ee46fcd4-3db7-43d9-982e-c1f355cb8a2d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">05bc8309b93676087d5fb0b58ad5e9d8</Content> </IndicatorItem> <IndicatorItem id="3e11f44a-a281-402e-94fa-2c5b5e11afc8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec63f49236858c85168da81c1ac7802a</Content> </IndicatorItem> <IndicatorItem id="105ba0b5-98ff-4ec0-9924-8e2d9aea9ae5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6bf9083f1567edce004bd1f7c456659d</Content> </IndicatorItem> <IndicatorItem id="ff34011f-82fc-4724-a777-72dcb9b71669" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0c5858f293aed44ea00eb9e0019609df</Content> </IndicatorItem> <IndicatorItem id="6df46401-4584-4a71-80e7-a4bfae13af47" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3107de21e480ab1f2d67725f419b28d0</Content> </IndicatorItem> <IndicatorItem id="dbe6656d-7fb5-4eb6-8af4-55090729346d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ce003a75c85627cbc7e6eb39beff0722</Content> </IndicatorItem> <IndicatorItem id="4922ceda-a600-4d77-b0fb-da22546dfbf1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">Eclipse_Client_Service_Dll_B.dll</Content> </IndicatorItem> <IndicatorItem id="0e5cade4-6142-45f8-9352-e6b2135ef855" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">toobu.ini</Content> </IndicatorItem> <IndicatorItem id="9c48ccf0-88cb-4deb-b6c9-6bcbd9b5cfce" condition="contains"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">pipe\ssnp</Content> </IndicatorItem> <IndicatorItem id="67e1fa38-3c49-471f-a952-6ff3d8b973a3" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">C:\Ocean\Project-VS2008\Eclipse_A1.1\Release\Eclipse_Client_B.pdb</Content> </IndicatorItem> <IndicatorItem id="df1c278c-f698-4faf-a4c8-3ecd6f4b6e5b" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">C:\Ocean\Project-VS2008\Eclipse_A1.3\Release\Eclipse_Client_B.pdb</Content> </IndicatorItem> <IndicatorItem id="2fbeadb3-766e-4400-8682-46dcbf8c50a7" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\MyProjects\pjts2008(back)\pjts2008\Eclipse_A\Release\Eclipse_Client_B.pdb</Content> </IndicatorItem> <IndicatorItem id="8d6e91ab-cd5a-44ee-b3cb-ee23c793ef1d" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\C\Eclipse_A\Release\Eclipse_Client_B.pdb</Content> </IndicatorItem> <IndicatorItem id="69703628-adb2-4e9f-b083-f11f7a1c8e3a" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\C\Eclipse_A1.1\Release\Eclipse_Client_B.pdb</Content> </IndicatorItem> <IndicatorItem id="2cab7bce-de2a-4657-a741-05b3d53fc301" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\4xjq\Eclipse_A1.1\Release\Eclipse_Client_B.pdb</Content> </IndicatorItem> <IndicatorItem id="43613644-a4c7-4f10-a740-15e337c2a235" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\4xjq\Eclipse_A1.1\Release\Eclipse_Client_B.pdb</Content> </IndicatorItem> <IndicatorItem id="fa203336-2a7c-4cef-88d0-d42d682ff9f4" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\pjts2008\Eclipse_A\Release\Eclipse_Client_Service_EXE_B.pdb</Content> </IndicatorItem> <IndicatorItem id="9e1dd16c-2ecb-4f67-9a65-f20c0cb44330" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\XiaoME\SunCloud-Code\Eclipse_A\Release\Eclipse_Client_B.pdb</Content> </IndicatorItem> <IndicatorItem id="c7a14352-8092-41e8-8052-7406a00a227b" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\XiaoME\SunCloud-Code\Eclipse_A\Release\Eclipse_Client_B.pdb</Content> </IndicatorItem> <Indicator operator="AND" id="34f04118-954b-4a0e-b5ec-fa35295728b5"> <IndicatorItem id="27f96c28-2b32-4fde-a6fc-83c70c8cb85f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <Indicator operator="OR" id="d183331e-bc84-4b62-a690-2f95e2dc726a"> <IndicatorItem id="b659bc12-8ce3-4bb4-b860-ff1ac8481f1b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">cb.exe</Content> </IndicatorItem> <IndicatorItem id="06f2180a-cd95-4b07-a11f-1505119796ce" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ccapp.exe</Content> </IndicatorItem> <IndicatorItem id="3dfadc75-39ee-4caa-bf0f-419bc2cba91e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">CONIME.EXE</Content> </IndicatorItem> <IndicatorItem id="4f3c9762-9c28-4c44-a5a1-100451d94db8" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ccapp1.exe</Content> </IndicatorItem> <IndicatorItem id="d900959c-d0a2-4b9e-bd52-dc37a15b0384" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">igfxpers.exe</Content> </IndicatorItem> <IndicatorItem id="458e871a-f71f-4951-9913-6ddd05d05187" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">1.jpg</Content> </IndicatorItem> <IndicatorItem id="09378fd1-d8c0-4776-979b-5bd9edf3c4ee" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Reader_sl.exe</Content> </IndicatorItem> <IndicatorItem id="037141d8-7bf5-49f6-bcbb-593c95a93afa" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">adobeupdater.exe</Content> </IndicatorItem> <IndicatorItem id="6bc51ce5-9ffc-45c4-9ace-434e971d01af" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">hkcm.exe</Content> </IndicatorItem> <IndicatorItem id="4b572912-d252-459a-a96b-c3831577f5a1" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Launcher.exe</Content> </IndicatorItem> <IndicatorItem id="664d4ff1-4b8b-4b8a-b1e2-984468b91124" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">taskhost.exe</Content> </IndicatorItem> <IndicatorItem id="b9f5122c-69f7-476c-92c8-98f938680b24" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">apoint.exe</Content> </IndicatorItem> <IndicatorItem id="c4a48724-3122-4808-9d81-5aec50f4f353" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">igfxper.exe</Content> </IndicatorItem> <IndicatorItem id="e6f1a8e1-9e63-4b79-adce-632afe00b852" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">MFEVPS.EXE</Content> </IndicatorItem> <IndicatorItem id="be895f16-33ac-43bd-bf12-27ec9bf99bce" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">QTTask.exe</Content> </IndicatorItem> <IndicatorItem id="b21afd11-b416-44b4-abb9-c23227c3849d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 50% samples.</Comment> </IndicatorItem> <IndicatorItem id="5c21d3cf-36df-4aad-aadd-025251e3afc5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_mismatch</Content> <Comment>PE Header Anomaly identified in 50% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="8fcbaef3-1374-4b6a-ab0c-4b5ab827fe25"> <IndicatorItem id="30d502b3-8ff5-4b49-b914-41cfdeb3e33d" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">174116</Content> </IndicatorItem> <IndicatorItem id="bda0241d-f41b-4732-87eb-212ee38f4d4c" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">182820</Content> </IndicatorItem> <IndicatorItem id="b33d4d1a-36fb-4a78-b30b-c90144b27fff" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">190500</Content> </IndicatorItem> <IndicatorItem id="47c15c0a-2e85-4a51-9cd7-8e5c7e090c13" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">191000 TO 191700</Content> </IndicatorItem> <IndicatorItem id="88c052a4-aeca-4bbe-910f-4a4e985b19c1" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">192000 TO 192700</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="087f48c5-b716-4b3f-9383-4d8343543777"> <IndicatorItem id="9fdf7436-dcfc-44e6-9682-ede1a904a8d6" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-19T01:22:35Z</Content> </IndicatorItem> <IndicatorItem id="9f8e1195-cfd8-4758-a0ab-0662f8a25153" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-19T01:22:45Z</Content> </IndicatorItem> <IndicatorItem id="9efb7d6a-9e86-4e8a-a7fa-3506bddcb11f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-15T11:11:50Z</Content> </IndicatorItem> <IndicatorItem id="cec0f07a-1b8a-4808-a01a-30831ec6f1b9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-12-08T00:52:06Z</Content> </IndicatorItem> <IndicatorItem id="0afb9eab-d49c-4d0e-a92c-22c3c2fe68fd" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-12-12T03:28:15Z</Content> </IndicatorItem> <IndicatorItem id="1805fcba-aa2c-4ba3-8af3-799ef76ef233" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-12T08:19:34Z</Content> </IndicatorItem> <IndicatorItem id="e673611e-0a91-4ee6-b1f2-e050786b86b1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-16T09:00:00Z TO 2012-03-16T10:00:00Z</Content> </IndicatorItem> <IndicatorItem id="8f20a71d-fdc8-4c62-8653-2d5a47b47538" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-19T13:43:05Z</Content> </IndicatorItem> <IndicatorItem id="860cd4de-858f-4377-a0f1-5547528449b2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-20T09:24:33Z</Content> </IndicatorItem> <IndicatorItem id="c1cee7fc-1445-4b83-aa8a-a4fe201242be" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-22T08:45:38Z</Content> </IndicatorItem> <IndicatorItem id="fe64f26b-93c6-47d5-b07c-53e80dda5d71" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-03-29T03:00:00Z TO 2012-03-29T16:00:00Z</Content> </IndicatorItem> <IndicatorItem id="f2291c9a-18a2-462e-bce3-647ec6553c33" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-17T02:43:28Z</Content> </IndicatorItem> <IndicatorItem id="ddfdb883-32b5-4291-a2c8-a56f4591d23c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-29T14:39:47Z</Content> </IndicatorItem> <IndicatorItem id="741c5c64-4c0d-4a88-9094-dc0fbeb83b52" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-07-25T15:01:13Z</Content> </IndicatorItem> <IndicatorItem id="25aec029-7e15-4c9c-8292-cea5e05b811d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-08-01T04:03:07Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="419a7989-3abd-45fd-bee0-e172273ad349"> <IndicatorItem id="fd7eaaf3-a149-4a2c-af67-7e8d448c6aae" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Exec Success!</Content> </IndicatorItem> <IndicatorItem id="931055ba-522e-4fbb-af07-583fdb0d96be" condition="contains"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">URL Download Success!</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="71de9281-517e-4240-b638-9996c6dcadc5"> <IndicatorItem id="cc257cdc-fdfe-45ba-b86a-14ebf3372169" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">ws2_32.dll:0073</Content> </IndicatorItem> <IndicatorItem id="cd2333fb-5078-4da7-ae4d-89245496790b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">ws2_32.dll:000c</Content> </IndicatorItem> <IndicatorItem id="e3cb60ae-ea22-4747-a006-713e432bcb61" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">ws2_32.dll:000b</Content> </IndicatorItem> <IndicatorItem id="635fd8ae-d31f-4df1-8150-7f05d92bf25c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">ws2_32.dll:0039</Content> </IndicatorItem> <IndicatorItem id="c5aeccc1-a893-433c-abb9-7614e0db2ca0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">ws2_32.dll:0034</Content> </IndicatorItem> <IndicatorItem id="ce72d543-62fc-42f2-ad7f-66af65afe283" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">ws2_32.dll:006f</Content> </IndicatorItem> <IndicatorItem id="bd4632c6-db72-43f7-b310-528a092f1c2c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">urldownloadtofilea</Content> </IndicatorItem> <IndicatorItem id="a286532e-fc8e-4536-bd96-2a40f71f214c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">deleteurlcacheentry</Content> </IndicatorItem> <IndicatorItem id="fbebb317-e18c-4200-b0bd-2053a37a05f5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">httpaddrequestheadersa</Content> </IndicatorItem> <IndicatorItem id="9d09ab31-9629-4ee8-ba2d-95a4005c36f7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">internetwritefile</Content> </IndicatorItem> <IndicatorItem id="8a8f3581-1eb8-4ccf-a10b-08713124835c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">internetreadfile</Content> </IndicatorItem> <IndicatorItem id="f3a7a07d-0cc9-4283-92b7-18fd91ea48ee" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">httpsendrequesta</Content> </IndicatorItem> <IndicatorItem id="fd7efdda-4cc9-472d-b5c9-d1630c9699ee" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">lookupaccountsida</Content> </IndicatorItem> <IndicatorItem id="bea2fd16-a0c1-4172-bfd1-d9eb4ac5bfce" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">gettokeninformation</Content> </IndicatorItem> <IndicatorItem id="7a1efd44-7c2c-465f-bcc3-683cbce315fa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">createprocessa</Content> </IndicatorItem> <IndicatorItem id="afa87e92-cfe2-42b9-9287-e5c555a4252c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">peeknamedpipe</Content> </IndicatorItem> <IndicatorItem id="a548aa9a-a6d2-40bf-9f59-7757252a18d5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">createpipe</Content> </IndicatorItem> <IndicatorItem id="bfbb6695-1a79-45d8-963a-4b586550f7c8" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">connectnamedpipe</Content> </IndicatorItem> <IndicatorItem id="9193beaa-8f85-4dc9-aac8-530a8fa438d0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">disconnectnamedpipe</Content> </IndicatorItem> <IndicatorItem id="59a72444-46ab-4760-847f-a88b883079c5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> </IndicatorItem> <Indicator operator="OR" id="0756e01a-1c8f-42d1-adcc-1f486df1d185"> <IndicatorItem id="2c1d1562-23b0-48fe-89db-70d82bb6eaa0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> </IndicatorItem> <IndicatorItem id="93ad3a5e-5c01-44c8-b126-e3aa33fe9b50" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_mismatch</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-d8cf6bb8-48fe-4160-ba20-b336dbd74d1b"> <indicator:Title>LIGHTBOLT (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Utility</indicator:Type> <indicator:Description> LIGHTBOLT is a utility with the ability to perform HTTP GET requests for a list of user-specified URLs. The responses of the HTTP requests are then saved as MHTML files, which are added to encrypted RAR files. LIGHTBOLT has the ability to use software certificates for authentication. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-c1fed046-0101-4913-bdaf-14b9bc0a18c0"/> <cybox:Observable idref="mandiant:observable-18371776-be36-4164-9809-dca4f6e2c54d"/> <cybox:Observable idref="mandiant:observable-127e0155-59b1-4b54-b0df-b67ed488ef43"/> <cybox:Observable idref="mandiant:observable-b249bc1e-558b-49a1-bcd1-38fc1192184b"/> <cybox:Observable id="mandiant:observable-f1d26561-2e5b-4b19-947c-794b687c804a"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-40d490e3-6e65-467f-8435-8386c751b7fb"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-dff39bfc-3520-4194-aed5-d7d8b11da95c"/> <cybox:Observable idref="mandiant:observable-4b8894ae-6f5c-44a2-8f3a-4d7f377e58df"/> <cybox:Observable idref="mandiant:observable-a4f7fb70-3852-4bda-86d7-9db0762ed860"/> <cybox:Observable idref="mandiant:observable-0e2cf034-f439-4f8f-bd26-67cd8b6924a7"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-ba9aa5b3-20b2-4318-bc76-ff270d4be302"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-40442ba4-c8d9-4f56-a6d4-02f9a9eb759a"/> <cybox:Observable idref="mandiant:observable-47632f04-cf80-4a3a-9be3-49c51737e3a6"/> <cybox:Observable idref="mandiant:observable-ff91f6cd-9224-4140-b63d-725395bc302e"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8edb9b6-f6c5-4284-bae0-3bceb0bf8db5"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-79d239c8-9a87-425b-b1e3-885478cb491b"/> <cybox:Observable idref="mandiant:observable-2918bf8e-de76-4c40-8223-b3bf5d23c015"/> <cybox:Observable idref="mandiant:observable-c36388b0-1c9d-4b3b-a214-1e834424e038"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-7f770489-dd8e-4b22-8a83-010902f67561"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-88c41ccf-ba5a-4481-8734-846a2fca9bfc"/> <cybox:Observable idref="mandiant:observable-dba8c03c-9da0-46d4-a96a-0a29688f0209"/> <cybox:Observable idref="mandiant:observable-c5b93855-5f9d-4975-b2a8-12434713e2ad"/> <cybox:Observable idref="mandiant:observable-bf64add6-84fa-4a61-a5a2-7ee57b93ab9d"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-4279884c-cb08-44b3-8bac-b59038b70f37"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-9b6f7ee3-75b9-4435-80c5-fd3f391c9517"/> <cybox:Observable idref="mandiant:observable-16e5ee37-c58b-434c-81f5-b005f925cfe4"/> <cybox:Observable idref="mandiant:observable-b43b3b1a-3b9d-4465-a8b2-0b5359c82349"/> <cybox:Observable idref="mandiant:observable-778bb896-fd5b-4295-9a2e-261da6d7afcf"/> <cybox:Observable idref="mandiant:observable-a305bcbd-6530-4eb0-ab76-617b0d6f3ff4"/> <cybox:Observable idref="mandiant:observable-e327513f-e356-4eb4-afbf-e083252cdf76"/> <cybox:Observable idref="mandiant:observable-cb3bd9c5-6c66-4dc2-8b83-6a39397453c4"/> <cybox:Observable idref="mandiant:observable-99f56bf0-7902-4e5b-8b41-768a5dfd2b96"/> <cybox:Observable idref="mandiant:observable-1675c825-73c8-4ee5-962f-0911c5716311"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-a8fc7acc-bc98-4306-9349-a176e432ce9e"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-55c75143-4726-4a55-b7b0-4bdaa6a5234c"/> <cybox:Observable idref="mandiant:observable-6ac300d9-0910-4af2-9aab-8fdbb03a2338"/> <cybox:Observable idref="mandiant:observable-1309e5fc-7e4c-4534-a3b7-654a3a79b755"/> <cybox:Observable idref="mandiant:observable-44ddd4b4-88f2-435c-95b9-f0f1d774820d"/> <cybox:Observable idref="mandiant:observable-8a67f354-3481-40ee-b535-17e89368cedc"/> <cybox:Observable idref="mandiant:observable-b5984919-de73-4b2e-8044-c0faf89cd84c"/> <cybox:Observable idref="mandiant:observable-bfe936f9-c6f7-415e-a773-e2aa7cfeb67b"/> <cybox:Observable idref="mandiant:observable-8411b4d0-4ca9-433a-a228-ffc55021b8a6"/> <cybox:Observable idref="mandiant:observable-cb224b30-fe35-45a3-9d61-2c47447faefd"/> <cybox:Observable idref="mandiant:observable-79b250fb-f337-4fe4-a1fd-0f14db527123"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="d4f103f8-c372-49d1-b9f4-e127d61d0639" last-modified="2013-02-10T13:00:00"> <short_description>LIGHTBOLT (FAMILY)</short_description> <description>LIGHTBOLT is a utility with the ability to perform HTTP GET requests for a list of user-specified URLs. The responses of the HTTP requests are then saved as MHTML files, which are added to encrypted RAR files. LIGHTBOLT has the ability to use software certificates for authentication.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Utility</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">LIGHTBOLT</link> </links> <definition> <Indicator operator="OR" id="d8cf6bb8-48fe-4160-ba20-b336dbd74d1b"> <IndicatorItem id="c1fed046-0101-4913-bdaf-14b9bc0a18c0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4788960e489197f2633f581607eb0d26</Content> </IndicatorItem> <IndicatorItem id="18371776-be36-4164-9809-dca4f6e2c54d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2ef062fa86537db34f5907a9775664a1</Content> </IndicatorItem> <IndicatorItem id="127e0155-59b1-4b54-b0df-b67ed488ef43" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2e86a9862257a0cf723ceef3868a1a12</Content> </IndicatorItem> <IndicatorItem id="b249bc1e-558b-49a1-bcd1-38fc1192184b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">exploie.exe</Content> </IndicatorItem> <Indicator operator="AND" id="f1d26561-2e5b-4b19-947c-794b687c804a"> <Indicator operator="OR" id="40d490e3-6e65-467f-8435-8386c751b7fb"> <IndicatorItem id="dff39bfc-3520-4194-aed5-d7d8b11da95c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">r.exe</Content> </IndicatorItem> <IndicatorItem id="4b8894ae-6f5c-44a2-8f3a-4d7f377e58df" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Browser.exe</Content> </IndicatorItem> <IndicatorItem id="a4f7fb70-3852-4bda-86d7-9db0762ed860" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 67% samples.</Comment> </IndicatorItem> <IndicatorItem id="0e2cf034-f439-4f8f-bd26-67cd8b6924a7" condition="contains"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">bits.exe</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="ba9aa5b3-20b2-4318-bc76-ff270d4be302"> <IndicatorItem id="40442ba4-c8d9-4f56-a6d4-02f9a9eb759a" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">378880</Content> </IndicatorItem> <IndicatorItem id="47632f04-cf80-4a3a-9be3-49c51737e3a6" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">40960</Content> </IndicatorItem> <IndicatorItem id="ff91f6cd-9224-4140-b63d-725395bc302e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">536576</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="a8edb9b6-f6c5-4284-bae0-3bceb0bf8db5"> <IndicatorItem id="79d239c8-9a87-425b-b1e3-885478cb491b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-03-15T06:26:41Z</Content> </IndicatorItem> <IndicatorItem id="2918bf8e-de76-4c40-8223-b3bf5d23c015" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-16T01:08:00Z</Content> </IndicatorItem> <IndicatorItem id="c36388b0-1c9d-4b3b-a214-1e834424e038" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-28T09:23:35Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="7f770489-dd8e-4b22-8a83-010902f67561"> <IndicatorItem id="88c41ccf-ba5a-4481-8734-846a2fca9bfc" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Type" type="mir"/> <Content type="string">JPG</Content> </IndicatorItem> <IndicatorItem id="dba8c03c-9da0-46d4-a96a-0a29688f0209" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Type" type="mir"/> <Content type="string">PDFBROW</Content> </IndicatorItem> <IndicatorItem id="c5b93855-5f9d-4975-b2a8-12434713e2ad" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Type" type="mir"/> <Content type="string">VAPDF</Content> </IndicatorItem> <IndicatorItem id="bf64add6-84fa-4a61-a5a2-7ee57b93ab9d" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Language" type="mir"/> <Content type="string">Chinese (Simplified, PRC)</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="4279884c-cb08-44b3-8bac-b59038b70f37"> <IndicatorItem id="9b6f7ee3-75b9-4435-80c5-fd3f391c9517" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductVersion" type="mir"/> <Content type="string">3, 6, 1, 1</Content> </IndicatorItem> <IndicatorItem id="16e5ee37-c58b-434c-81f5-b005f925cfe4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir"/> <Content type="string">Mozilla Firefox</Content> </IndicatorItem> <IndicatorItem id="b43b3b1a-3b9d-4465-a8b2-0b5359c82349" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright" type="mir"/> <Content type="string">Copyright (C) 1998-2009</Content> </IndicatorItem> <IndicatorItem id="778bb896-fd5b-4295-9a2e-261da6d7afcf" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">firefox.exe</Content> </IndicatorItem> <IndicatorItem id="a305bcbd-6530-4eb0-ab76-617b0d6f3ff4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileVersion" type="mir"/> <Content type="string">3, 6, 1, 1</Content> </IndicatorItem> <IndicatorItem id="e327513f-e356-4eb4-afbf-e083252cdf76" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir"/> <Content type="string">Firefox</Content> </IndicatorItem> <IndicatorItem id="cb3bd9c5-6c66-4dc2-8b83-6a39397453c4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName" type="mir"/> <Content type="string">Mozilla Firefox</Content> </IndicatorItem> <IndicatorItem id="99f56bf0-7902-4e5b-8b41-768a5dfd2b96" condition="isnot"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">firefox.exe</Content> </IndicatorItem> <IndicatorItem id="1675c825-73c8-4ee5-962f-0911c5716311" condition="containsnot"> <Context document="FileItem" search="FileItem/FilePath" type="mir"/> <Content type="string">System Volume Information</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="a8fc7acc-bc98-4306-9349-a176e432ce9e"> <IndicatorItem id="55c75143-4726-4a55-b7b0-4bdaa6a5234c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductVersion" type="mir"/> <Content type="string">6, 0, 2900, 5512</Content> </IndicatorItem> <IndicatorItem id="6ac300d9-0910-4af2-9aab-8fdbb03a2338" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName" type="mir"/> <Content type="string">Microsoft</Content> </IndicatorItem> <IndicatorItem id="1309e5fc-7e4c-4534-a3b7-654a3a79b755" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir"/> <Content type="string">explorer</Content> </IndicatorItem> <IndicatorItem id="44ddd4b4-88f2-435c-95b9-f0f1d774820d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright" type="mir"/> <Content type="string">(C) Microsoft Corporation. All rights reserved.</Content> </IndicatorItem> <IndicatorItem id="8a67f354-3481-40ee-b535-17e89368cedc" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileVersion" type="mir"/> <Content type="string">6, 0, 2900, 5512</Content> </IndicatorItem> <IndicatorItem id="b5984919-de73-4b2e-8044-c0faf89cd84c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName" type="mir"/> <Content type="string">Microsoft explorer</Content> </IndicatorItem> <IndicatorItem id="bfe936f9-c6f7-415e-a773-e2aa7cfeb67b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir"/> <Content type="string">explorer.exe</Content> </IndicatorItem> <IndicatorItem id="8411b4d0-4ca9-433a-a228-ffc55021b8a6" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">explorer.exe</Content> </IndicatorItem> <IndicatorItem id="cb224b30-fe35-45a3-9d61-2c47447faefd" condition="isnot"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">explorer.exe</Content> </IndicatorItem> <IndicatorItem id="79b250fb-f337-4fe4-a1fd-0f14db527123" condition="containsnot"> <Context document="FileItem" search="FileItem/FilePath" type="mir"/> <Content type="string">System Volume Information</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-37cdc870-066f-4e90-a295-985372bfb9e6"> <indicator:Title>STARSYPOUND (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> STARSYPOUND provides an interactive remote shell over an obfuscated communications channel. When it is first run, it loads a string (from the executable PE resource section) containing the beacon IP address and port. The malware sends the beacon string "*(SY)# <HOSTNAME>" to the remote system, where <HOSTNAME> is the hostname of the victim system. The remote host responds with a packet that also begins with the string "*(SY)# cmd". This causes the malware to launch a new cmd.exe child process. Further communications are forwarded to the cmd.exe child process to execute. The commands sent to the shell and their responses are obfuscated when sent over the network. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-dce5008b-b485-4a58-bbee-01b83de1a67f"/> <cybox:Observable idref="mandiant:observable-88aabd0a-db00-458e-b465-2338d382b4db"/> <cybox:Observable idref="mandiant:observable-43bffb9e-802b-42b0-8aec-93e785a90b0a"/> <cybox:Observable idref="mandiant:observable-76cca676-a146-452d-9d1b-75aa4f16d973"/> <cybox:Observable idref="mandiant:observable-12b8eecb-ea79-4762-a8b2-55daa5d84cb9"/> <cybox:Observable idref="mandiant:observable-3b3d360f-e462-4b05-934f-48837101f16e"/> <cybox:Observable idref="mandiant:observable-e829d5aa-4c8a-4993-8418-f7b26962eb9b"/> <cybox:Observable idref="mandiant:observable-0589fdff-fa2f-47ca-af83-408d25e2bfc3"/> <cybox:Observable idref="mandiant:observable-703f60a3-3734-42db-9e5b-f25a390834f3"/> <cybox:Observable idref="mandiant:observable-3dffcf7e-4b32-4fab-8720-3d4ca21e8676"/> <cybox:Observable idref="mandiant:observable-da151c43-42bc-400a-95cb-a4794e40ea72"/> <cybox:Observable idref="mandiant:observable-ccee62c8-935e-49b1-b0f5-a68ea17afa36"/> <cybox:Observable idref="mandiant:observable-83d97026-3661-4ce7-8573-b9f13087aeae"/> <cybox:Observable idref="mandiant:observable-dcf4fafc-8b52-419a-a869-2dc3881b57dd"/> <cybox:Observable idref="mandiant:observable-b9964cd0-9159-4154-ad12-6ea8b82b1919"/> <cybox:Observable idref="mandiant:observable-0113078d-92fe-4021-b8ea-b2b2e6d0927d"/> <cybox:Observable idref="mandiant:observable-71b716af-666c-4cc7-8fce-414087ce13a8"/> <cybox:Observable idref="mandiant:observable-1efc4f2d-b353-4948-9853-f4af01dba154"/> <cybox:Observable idref="mandiant:observable-7c788a3c-9802-4ace-b74a-872fa6ce475d"/> <cybox:Observable idref="mandiant:observable-e7f6fa54-6551-4051-b6fc-1b99965c7283"/> <cybox:Observable idref="mandiant:observable-05a23b2f-632d-4638-9fd7-129c22b72d59"/> <cybox:Observable idref="mandiant:observable-c4d55888-aace-43e6-963b-6bff9527651a"/> <cybox:Observable idref="mandiant:observable-6b69e8d9-e8c9-4641-a741-0aecd4797889"/> <cybox:Observable idref="mandiant:observable-9511e823-4a36-4c98-b969-be8a18cafd33"/> <cybox:Observable idref="mandiant:observable-c7d207b0-efe6-4d1f-91de-6a5ad84c01dd"/> <cybox:Observable idref="mandiant:observable-ec6f2fac-7da0-4088-97b3-df78073105c6"/> <cybox:Observable idref="mandiant:observable-aef9eaf5-5c3a-4ee2-ab74-e968ec5fee67"/> <cybox:Observable idref="mandiant:observable-81c8c916-9b1c-4865-b053-8797b7635536"/> <cybox:Observable idref="mandiant:observable-b0d74e94-4cc5-4412-b283-b7d8a3fd770f"/> <cybox:Observable idref="mandiant:observable-03be0c70-71fd-41e9-a135-4c66c86ec25a"/> <cybox:Observable idref="mandiant:observable-ed751c87-1202-4748-a09a-603e916a7a5c"/> <cybox:Observable idref="mandiant:observable-5706f486-870e-4086-abd3-b84d174d8a1e"/> <cybox:Observable idref="mandiant:observable-93303fa1-7cc5-4a8a-95af-a14825b30a88"/> <cybox:Observable idref="mandiant:observable-a88f262e-2aa9-42d4-b2be-ec4a9c4dcc08"/> <cybox:Observable idref="mandiant:observable-58874411-5b95-4f6b-baf8-43a6e943dcf8"/> <cybox:Observable idref="mandiant:observable-d74f5f2f-9c51-4a2b-98f0-43a3b4bb817b"/> <cybox:Observable idref="mandiant:observable-151a2b1c-fa5a-4bfb-a9e8-ffedc0ef2000"/> <cybox:Observable idref="mandiant:observable-c9cfa772-ac67-4c2d-bf17-06beca62c4fc"/> <cybox:Observable idref="mandiant:observable-db60fa94-e63b-40de-b85b-639864d09dff"/> <cybox:Observable idref="mandiant:observable-79c8a3d0-5ada-46d0-b5fa-72b2660e5ed2"/> <cybox:Observable idref="mandiant:observable-7c3f3c05-6d69-4f05-973b-b05494fb4192"/> <cybox:Observable idref="mandiant:observable-7e77fc63-2844-4bea-a5cc-b013c9c57407"/> <cybox:Observable idref="mandiant:observable-f707fc35-11ea-4a05-9927-06fdae66cc07"/> <cybox:Observable idref="mandiant:observable-0f870d41-c381-4d63-a902-b09eddbb085c"/> <cybox:Observable idref="mandiant:observable-7a0df406-816b-4fc7-867e-8157ecfe3678"/> <cybox:Observable idref="mandiant:observable-562438f7-d03e-4c4b-afdb-42f3473ebc5a"/> <cybox:Observable idref="mandiant:observable-83815990-8092-4378-b6c8-ff4ff3160270"/> <cybox:Observable idref="mandiant:observable-28cf1fc8-985c-4f47-9dd8-7eade45c828b"/> <cybox:Observable idref="mandiant:observable-64eefec1-35b8-4c4e-b03a-7f402c29cfdd"/> <cybox:Observable idref="mandiant:observable-4260d6a6-142b-485c-a37e-1c7a5f1880de"/> <cybox:Observable idref="mandiant:observable-a137962b-044e-4d96-8284-2fb874a04cfc"/> <cybox:Observable idref="mandiant:observable-1d244eab-ddb9-463a-8c8f-2644ff8146ad"/> <cybox:Observable idref="mandiant:observable-717002c1-0b9b-4d89-8e04-827366b6b37f"/> <cybox:Observable idref="mandiant:observable-60ef246f-98e4-42c4-acca-9d6aac19191a"/> <cybox:Observable idref="mandiant:observable-061044d6-d7b0-43ff-9ea8-59090632acc0"/> <cybox:Observable idref="mandiant:observable-c9af2cd7-31ec-4e35-9ae8-7b72eff0eabb"/> <cybox:Observable id="mandiant:observable-7909f322-1b62-457a-a858-00323bc255f0"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-135a999b-ac71-4f6b-b170-24e670f2bd9a"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-1be3d9c2-ee2a-4676-9888-dfdeabf873a0"/> <cybox:Observable idref="mandiant:observable-f4a65b7d-10f3-4d34-8f71-d299c6c29982"/> <cybox:Observable idref="mandiant:observable-cb8b0594-8172-4c37-865e-0ab50c4dd62d"/> <cybox:Observable idref="mandiant:observable-97b1b8cd-599f-4a30-96f7-84d99e396cf6"/> <cybox:Observable idref="mandiant:observable-903d7906-89ed-4012-a3a0-8b4ddf733ab0"/> <cybox:Observable idref="mandiant:observable-147278d9-ae6b-4aa5-b0c3-5e20e3cbc4e3"/> <cybox:Observable idref="mandiant:observable-b84fb79f-c77b-4cc7-8475-f6a2d59f5c5a"/> <cybox:Observable idref="mandiant:observable-29a89dcc-339e-48ce-8fdf-6f22bc0a0108"/> <cybox:Observable idref="mandiant:observable-36e0857a-c6b2-45d5-a173-1d32bcd262c1"/> <cybox:Observable idref="mandiant:observable-155af31e-9ec5-47f7-ad27-5a2b625f37db"/> <cybox:Observable idref="mandiant:observable-f4439817-1af8-49b6-bf7a-eb75387fc857"/> <cybox:Observable idref="mandiant:observable-dfba1358-e5b8-41fd-9408-6f345eb77dd3"/> <cybox:Observable idref="mandiant:observable-6236ca54-b8ce-4be3-8347-d27b5374d672"/> <cybox:Observable idref="mandiant:observable-c4f5a77b-8c17-4c21-9506-7e129f94805d"/> <cybox:Observable idref="mandiant:observable-1ccb67ee-ab95-4f8b-80fd-15ba7b1b144a"/> <cybox:Observable idref="mandiant:observable-a8ee19a2-4922-45d2-a2c5-8499e754552e"/> <cybox:Observable idref="mandiant:observable-28adbf26-fdcb-49c4-b3f5-fe7604a6c5be"/> <cybox:Observable idref="mandiant:observable-8b50a572-82cd-4361-a651-8e6d914ffce3"/> <cybox:Observable idref="mandiant:observable-090bf433-7d5b-4c39-bb67-419783ef48fd"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-84a0fbc9-1330-4213-8020-262eae079677"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-f77a63bd-4231-4c15-b370-b3dca152932f"/> <cybox:Observable idref="mandiant:observable-da94f2f3-15c5-4efd-a463-55af2fe25bc3"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-e0d5840a-3399-486d-9430-62590074963c"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-53236c4b-8c5e-43b4-9b3e-1757a2c4fd53"/> <cybox:Observable idref="mandiant:observable-e0f1fb6e-bba9-4d0b-b773-5c6a070a11fc"/> <cybox:Observable idref="mandiant:observable-291ae324-ec20-4020-851f-a0518548d4b7"/> <cybox:Observable idref="mandiant:observable-a8e2161e-b3f5-4c2e-80fa-8466e6edf592"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ae8a626-9762-4b3e-ad1a-6ef6acabc381"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-fb2aa6ff-36c5-4f92-98ea-5dfadf1ce05b"/> <cybox:Observable idref="mandiant:observable-5b918ea4-eb00-4e83-b901-a8cd96ba0d69"/> <cybox:Observable idref="mandiant:observable-babc3765-80bf-4439-bc94-c40e280559f4"/> <cybox:Observable idref="mandiant:observable-c6a7d671-6d83-49e5-b5c1-b9bd4e1c933f"/> <cybox:Observable idref="mandiant:observable-3b5f5409-b7c2-4150-8799-b34ef1f207c2"/> <cybox:Observable idref="mandiant:observable-b0356b4e-9d01-42a2-82aa-3e7338ddd86e"/> <cybox:Observable idref="mandiant:observable-f5b965df-6640-43ef-8a74-3648850c24de"/> <cybox:Observable idref="mandiant:observable-4eea9b08-e5c9-449a-915e-81957d645db5"/> <cybox:Observable idref="mandiant:observable-77a33407-dd06-4771-a398-eb2ec5da243a"/> <cybox:Observable idref="mandiant:observable-86987363-95a8-4411-ad36-af31256bde72"/> <cybox:Observable idref="mandiant:observable-be35f904-765e-4e5c-a7da-619e2aac05cd"/> <cybox:Observable idref="mandiant:observable-00a0ddeb-301f-4105-9418-11d7379ddb6d"/> <cybox:Observable idref="mandiant:observable-1ded5ab9-9ee9-4b96-9444-2b290fa39fd3"/> <cybox:Observable idref="mandiant:observable-f06e6df2-ae06-4e8e-80d3-49ab06305353"/> <cybox:Observable idref="mandiant:observable-0c395a56-6e3e-44af-8606-49e16cf27f5d"/> <cybox:Observable idref="mandiant:observable-27f96162-bed9-49a7-82b6-1d2b5838602b"/> <cybox:Observable idref="mandiant:observable-806c5faf-ce64-4e6b-b344-5d2ddaa1b38f"/> <cybox:Observable idref="mandiant:observable-05935fd3-b962-43fe-86b6-ec5c1b28eb7b"/> <cybox:Observable idref="mandiant:observable-35a89fcb-66aa-451c-8d3d-74bef2e70dbf"/> <cybox:Observable idref="mandiant:observable-f1bfa3bc-3141-4ce9-ab41-17c171acf3f4"/> <cybox:Observable idref="mandiant:observable-57a6b882-a041-49db-a186-cd9d6a67f2be"/> <cybox:Observable idref="mandiant:observable-85c1f565-1808-4811-ac5b-80fff6758661"/> <cybox:Observable idref="mandiant:observable-0536e2e9-359b-4bfe-9950-fc3762dbb645"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="d5e49501-c30d-41ae-b381-c3c473040c39" last-modified="2013-02-10T13:00:00"> <short_description>STARSYPOUND (FAMILY)</short_description> <description>STARSYPOUND provides an interactive remote shell over an obfuscated communications channel. When it is first run, it loads a string (from the executable PE resource section) containing the beacon IP address and port. The malware sends the beacon string "*(SY)# <HOSTNAME>" to the remote system, where <HOSTNAME> is the hostname of the victim system. The remote host responds with a packet that also begins with the string "*(SY)# cmd". This causes the malware to launch a new cmd.exe child process. Further communications are forwarded to the cmd.exe child process to execute. The commands sent to the shell and their responses are obfuscated when sent over the network.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">STARSYPOUND</link> </links> <definition> <Indicator operator="OR" id="37cdc870-066f-4e90-a295-985372bfb9e6"> <IndicatorItem id="dce5008b-b485-4a58-bbee-01b83de1a67f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a4143ade719c2222d8602819a3e212ae</Content> </IndicatorItem> <IndicatorItem id="88aabd0a-db00-458e-b465-2338d382b4db" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea3155748f9788b741b6799691250579</Content> </IndicatorItem> <IndicatorItem id="43bffb9e-802b-42b0-8aec-93e785a90b0a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9ea3c16194ce354c244c1b74c46cd92e</Content> </IndicatorItem> <IndicatorItem id="76cca676-a146-452d-9d1b-75aa4f16d973" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ca6fe7a1315af5afeac2961460a80569</Content> </IndicatorItem> <IndicatorItem id="12b8eecb-ea79-4762-a8b2-55daa5d84cb9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1f2eb7b090018d975e6d9b40868c94ca</Content> </IndicatorItem> <IndicatorItem id="3b3d360f-e462-4b05-934f-48837101f16e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ae1dda87cc5998de79ecb68527bbd191</Content> </IndicatorItem> <IndicatorItem id="e829d5aa-4c8a-4993-8418-f7b26962eb9b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2ba0d0083976a5c1e3315413cdcffcd2</Content> </IndicatorItem> <IndicatorItem id="0589fdff-fa2f-47ca-af83-408d25e2bfc3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cc0b9bf4ea738d63f06bfe411460412b</Content> </IndicatorItem> <IndicatorItem id="703f60a3-3734-42db-9e5b-f25a390834f3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ab445da3ee4e81a84d644476f669d35c</Content> </IndicatorItem> <IndicatorItem id="3dffcf7e-4b32-4fab-8720-3d4ca21e8676" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">411d770b2939e968c692dbdd3116e179</Content> </IndicatorItem> <IndicatorItem id="da151c43-42bc-400a-95cb-a4794e40ea72" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">65018cd542145a3792ba09985734c12a</Content> </IndicatorItem> <IndicatorItem id="ccee62c8-935e-49b1-b0f5-a68ea17afa36" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">df5c89d49ef8997c9b5abd8f808298c8</Content> </IndicatorItem> <IndicatorItem id="83d97026-3661-4ce7-8573-b9f13087aeae" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2a84b88c4a2ce0fb6227f7990f465737</Content> </IndicatorItem> <IndicatorItem id="dcf4fafc-8b52-419a-a869-2dc3881b57dd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8442ae37b91f279a9f06de4c60b286a3</Content> </IndicatorItem> <IndicatorItem id="b9964cd0-9159-4154-ad12-6ea8b82b1919" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">531a3b0acd95f55c3a7418d31f741357</Content> </IndicatorItem> <IndicatorItem id="0113078d-92fe-4021-b8ea-b2b2e6d0927d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">650a6fca433ee243391e4b4c11f09438</Content> </IndicatorItem> <IndicatorItem id="71b716af-666c-4cc7-8fce-414087ce13a8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">08d7679a9c806a2f7d2be26fe9b425ee</Content> </IndicatorItem> <IndicatorItem id="1efc4f2d-b353-4948-9853-f4af01dba154" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d1a18c7de189170c588e7128ec3f8453</Content> </IndicatorItem> <IndicatorItem id="7c788a3c-9802-4ace-b74a-872fa6ce475d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">34cebbb4d35a66a7a7fb1ce857c195c9</Content> </IndicatorItem> <IndicatorItem id="e7f6fa54-6551-4051-b6fc-1b99965c7283" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8b75bcbff174c25a0161f30758509a44</Content> </IndicatorItem> <IndicatorItem id="05a23b2f-632d-4638-9fd7-129c22b72d59" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7be6c90facbfe9ecf470fb27e6673fbc</Content> </IndicatorItem> <IndicatorItem id="c4d55888-aace-43e6-963b-6bff9527651a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">00f24328b282b28bc39960d55603e380</Content> </IndicatorItem> <IndicatorItem id="6b69e8d9-e8c9-4641-a741-0aecd4797889" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">494fca685834f3158d133f6b09cbb507</Content> </IndicatorItem> <IndicatorItem id="9511e823-4a36-4c98-b969-be8a18cafd33" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b07322743778b5868475dbe66eedac4f</Content> </IndicatorItem> <IndicatorItem id="c7d207b0-efe6-4d1f-91de-6a5ad84c01dd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">61e0da42d5d084af24d31fbcef4ff409</Content> </IndicatorItem> <IndicatorItem id="ec6f2fac-7da0-4088-97b3-df78073105c6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e65db662e449cab03a6c1ac51af41360</Content> </IndicatorItem> <IndicatorItem id="aef9eaf5-5c3a-4ee2-ab74-e968ec5fee67" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5a032c13942a46c5ae015f53d9ce138a</Content> </IndicatorItem> <IndicatorItem id="81c8c916-9b1c-4865-b053-8797b7635536" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d20f0fbd001fd30610c3317fd3c6f7c0</Content> </IndicatorItem> <IndicatorItem id="b0d74e94-4cc5-4412-b283-b7d8a3fd770f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">caf33d1e15953c0e782846e1709498f6</Content> </IndicatorItem> <IndicatorItem id="03be0c70-71fd-41e9-a135-4c66c86ec25a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">49bacedcd18f6d8929d43a10dae8645f</Content> </IndicatorItem> <IndicatorItem id="ed751c87-1202-4748-a09a-603e916a7a5c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f6655e39465c2ff5b016980d918ea028</Content> </IndicatorItem> <IndicatorItem id="5706f486-870e-4086-abd3-b84d174d8a1e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec8aa67b05407c01094184c33d2b5a44</Content> </IndicatorItem> <IndicatorItem id="93303fa1-7cc5-4a8a-95af-a14825b30a88" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">35b9f05cf70017cc485af87660109dc8</Content> </IndicatorItem> <IndicatorItem id="a88f262e-2aa9-42d4-b2be-ec4a9c4dcc08" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3d6fe3928f2f5ce41622f3f958b894a0</Content> </IndicatorItem> <IndicatorItem id="58874411-5b95-4f6b-baf8-43a6e943dcf8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">125ebbc6f0c957ee994fcef1431a93f4</Content> </IndicatorItem> <IndicatorItem id="d74f5f2f-9c51-4a2b-98f0-43a3b4bb817b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6576c196385407b0f7f4b1b537d88983</Content> </IndicatorItem> <IndicatorItem id="151a2b1c-fa5a-4bfb-a9e8-ffedc0ef2000" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7a2eba5ca6f9b2cec61c5cc55dfca762</Content> </IndicatorItem> <IndicatorItem id="c9cfa772-ac67-4c2d-bf17-06beca62c4fc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">33de5067a433a6ec5c328067dc18ec37</Content> </IndicatorItem> <IndicatorItem id="db60fa94-e63b-40de-b85b-639864d09dff" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d9fbf759f527af373e34673dc3aca462</Content> </IndicatorItem> <IndicatorItem id="79c8a3d0-5ada-46d0-b5fa-72b2660e5ed2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">30b3b17eab05ecffaa055b5091aa66f9</Content> </IndicatorItem> <IndicatorItem id="7c3f3c05-6d69-4f05-973b-b05494fb4192" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">785003a405bc7a4ebcbb21ddb757bf3f</Content> </IndicatorItem> <IndicatorItem id="7e77fc63-2844-4bea-a5cc-b013c9c57407" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">eb61cedc9793226a66e4611e6ea25d7f</Content> </IndicatorItem> <IndicatorItem id="f707fc35-11ea-4a05-9927-06fdae66cc07" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">85c4081a97255ac7ca7d0d5554e86ec1</Content> </IndicatorItem> <IndicatorItem id="0f870d41-c381-4d63-a902-b09eddbb085c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fab7c555a511f4d4e318817455bbb75a</Content> </IndicatorItem> <IndicatorItem id="7a0df406-816b-4fc7-867e-8157ecfe3678" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">19fc27aeb48b3ce8d00eb2e76dfe2837</Content> </IndicatorItem> <IndicatorItem id="562438f7-d03e-4c4b-afdb-42f3473ebc5a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cfe738fcc07b9ece6a11c3390d43b5df</Content> </IndicatorItem> <IndicatorItem id="83815990-8092-4378-b6c8-ff4ff3160270" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c0a33a1b472a8c16123fd696a5ce5ebb</Content> </IndicatorItem> <IndicatorItem id="28cf1fc8-985c-4f47-9dd8-7eade45c828b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a316d5aeca269ca865077e7fff356e7d</Content> </IndicatorItem> <IndicatorItem id="64eefec1-35b8-4c4e-b03a-7f402c29cfdd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">89a2802e2f2356ce6a757f833c3ba3ef</Content> </IndicatorItem> <IndicatorItem id="4260d6a6-142b-485c-a37e-1c7a5f1880de" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dc059121677ec7a038589cda28cbcc49</Content> </IndicatorItem> <IndicatorItem id="a137962b-044e-4d96-8284-2fb874a04cfc" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6faa4740f99408d4d2dddd0b09bbdefd</Content> </IndicatorItem> <IndicatorItem id="1d244eab-ddb9-463a-8c8f-2644ff8146ad" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">99a39866a657a10949fcb6d634bb30d5</Content> </IndicatorItem> <IndicatorItem id="717002c1-0b9b-4d89-8e04-827366b6b37f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a14e8df8bc55f7459d24fe526f51a16d</Content> </IndicatorItem> <IndicatorItem id="60ef246f-98e4-42c4-acca-9d6aac19191a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f8437e44748d2c3fcf84019766f4e6dc</Content> </IndicatorItem> <IndicatorItem id="061044d6-d7b0-43ff-9ea8-59090632acc0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4e3ddb5c27e45ee0e6dcc02e87b0abb5</Content> </IndicatorItem> <IndicatorItem id="c9af2cd7-31ec-4e35-9ae8-7b72eff0eabb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2dd892986b2249b5214639ecc8ac0223</Content> </IndicatorItem> <Indicator operator="AND" id="7909f322-1b62-457a-a858-00323bc255f0"> <Indicator operator="OR" id="135a999b-ac71-4f6b-b170-24e670f2bd9a"> <IndicatorItem id="1be3d9c2-ee2a-4676-9888-dfdeabf873a0" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">smisvr.exe</Content> </IndicatorItem> <IndicatorItem id="f4a65b7d-10f3-4d34-8f71-d299c6c29982" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update.dll</Content> </IndicatorItem> <IndicatorItem id="cb8b0594-8172-4c37-865e-0ab50c4dd62d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">spoolsvr.exe</Content> </IndicatorItem> <IndicatorItem id="97b1b8cd-599f-4a30-96f7-84d99e396cf6" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">winpsvc.exe</Content> </IndicatorItem> <IndicatorItem id="903d7906-89ed-4012-a3a0-8b4ddf733ab0" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update3D.exe</Content> </IndicatorItem> <IndicatorItem id="147278d9-ae6b-4aa5-b0c3-5e20e3cbc4e3" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update7E.exe</Content> </IndicatorItem> <IndicatorItem id="b84fb79f-c77b-4cc7-8475-f6a2d59f5c5a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">servicve.exe</Content> </IndicatorItem> <IndicatorItem id="29a89dcc-339e-48ce-8fdf-6f22bc0a0108" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">mssvc.exe</Content> </IndicatorItem> <IndicatorItem id="36e0857a-c6b2-45d5-a173-1d32bcd262c1" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Net3.exe</Content> </IndicatorItem> <IndicatorItem id="155af31e-9ec5-47f7-ad27-5a2b625f37db" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">UPD115.exe</Content> </IndicatorItem> <IndicatorItem id="f4439817-1af8-49b6-bf7a-eb75387fc857" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">dfvmgr.exe</Content> </IndicatorItem> <IndicatorItem id="dfba1358-e5b8-41fd-9408-6f345eb77dd3" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update1.exe</Content> </IndicatorItem> <IndicatorItem id="6236ca54-b8ce-4be3-8347-d27b5374d672" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update3F.exe</Content> </IndicatorItem> <IndicatorItem id="c4f5a77b-8c17-4c21-9506-7e129f94805d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">winps.dll</Content> </IndicatorItem> <IndicatorItem id="1ccb67ee-ab95-4f8b-80fd-15ba7b1b144a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">update23.exe</Content> </IndicatorItem> <IndicatorItem id="a8ee19a2-4922-45d2-a2c5-8499e754552e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Net206.exe</Content> </IndicatorItem> <IndicatorItem id="28adbf26-fdcb-49c4-b3f5-fe7604a6c5be" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">IEupdate8080.exe</Content> </IndicatorItem> <IndicatorItem id="8b50a572-82cd-4361-a651-8e6d914ffce3" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">dfhost.exe</Content> </IndicatorItem> <IndicatorItem id="090bf433-7d5b-4c39-bb67-419783ef48fd" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="84a0fbc9-1330-4213-8020-262eae079677"> <IndicatorItem id="f77a63bd-4231-4c15-b370-b3dca152932f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">7168</Content> </IndicatorItem> <IndicatorItem id="da94f2f3-15c5-4efd-a463-55af2fe25bc3" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">8192</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="e0d5840a-3399-486d-9430-62590074963c"> <IndicatorItem id="53236c4b-8c5e-43b4-9b3e-1757a2c4fd53" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2007-11-18T23:50:13Z</Content> </IndicatorItem> <IndicatorItem id="e0f1fb6e-bba9-4d0b-b773-5c6a070a11fc" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2008-02-27T21:58:42Z</Content> </IndicatorItem> <IndicatorItem id="291ae324-ec20-4020-851f-a0518548d4b7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-05-14T17:12:40Z</Content> </IndicatorItem> <IndicatorItem id="a8e2161e-b3f5-4c2e-80fa-8466e6edf592" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-01-15T17:20:56Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="6ae8a626-9762-4b3e-ad1a-6ef6acabc381"> <IndicatorItem id="fb2aa6ff-36c5-4f92-98ea-5dfadf1ce05b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">loadstringa</Content> </IndicatorItem> <IndicatorItem id="5b918ea4-eb00-4e83-b901-a8cd96ba0d69" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">malloc</Content> </IndicatorItem> <IndicatorItem id="babc3765-80bf-4439-bc94-c40e280559f4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">free</Content> </IndicatorItem> <IndicatorItem id="c6a7d671-6d83-49e5-b5c1-b9bd4e1c933f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">disconnectnamedpipe</Content> </IndicatorItem> <IndicatorItem id="3b5f5409-b7c2-4150-8799-b34ef1f207c2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">getcurrentprocess</Content> </IndicatorItem> <IndicatorItem id="b0356b4e-9d01-42a2-82aa-3e7338ddd86e" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">terminatethread</Content> </IndicatorItem> <IndicatorItem id="f5b965df-6640-43ef-8a74-3648850c24de" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">waitforsingleobject</Content> </IndicatorItem> <IndicatorItem id="4eea9b08-e5c9-449a-915e-81957d645db5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">setevent</Content> </IndicatorItem> <IndicatorItem id="77a33407-dd06-4771-a398-eb2ec5da243a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">sleep</Content> </IndicatorItem> <IndicatorItem id="86987363-95a8-4411-ad36-af31256bde72" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">duplicatehandle</Content> </IndicatorItem> <IndicatorItem id="be35f904-765e-4e5c-a7da-619e2aac05cd" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">peeknamedpipe</Content> </IndicatorItem> <IndicatorItem id="00a0ddeb-301f-4105-9418-11d7379ddb6d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">createpipe</Content> </IndicatorItem> <IndicatorItem id="1ded5ab9-9ee9-4b96-9444-2b290fa39fd3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">waitformultipleobjects</Content> </IndicatorItem> <IndicatorItem id="f06e6df2-ae06-4e8e-80d3-49ab06305353" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">createprocessa</Content> </IndicatorItem> <IndicatorItem id="0c395a56-6e3e-44af-8606-49e16cf27f5d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">createthread</Content> </IndicatorItem> <IndicatorItem id="27f96162-bed9-49a7-82b6-1d2b5838602b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">createeventa</Content> </IndicatorItem> <IndicatorItem id="806c5faf-ce64-4e6b-b344-5d2ddaa1b38f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">createeventa</Content> </IndicatorItem> <IndicatorItem id="05935fd3-b962-43fe-86b6-ec5c1b28eb7b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">writefile</Content> </IndicatorItem> <IndicatorItem id="35a89fcb-66aa-451c-8d3d-74bef2e70dbf" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">readfile</Content> </IndicatorItem> <IndicatorItem id="f1bfa3bc-3141-4ce9-ab41-17c171acf3f4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">getcomputernamea</Content> </IndicatorItem> <IndicatorItem id="57a6b882-a041-49db-a186-cd9d6a67f2be" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">exitthread</Content> </IndicatorItem> <IndicatorItem id="85c1f565-1808-4811-ac5b-80fff6758661" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">terminateprocess</Content> </IndicatorItem> <IndicatorItem id="0536e2e9-359b-4bfe-9950-fc3762dbb645" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="mir"/> <Content type="string">closehandle</Content> </IndicatorItem> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-0ce3f149-586a-4e4b-a833-074bfe438557"> <indicator:Title>AURIGA (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> The AURIGA malware family shares a large amount of functionality with the BANGAT backdoor. The malware family contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. The AURIGA malware contains a driver component which is used to inject the malware DLL into other processes. This driver can also perform process and IP connection hiding. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the "Microsoft corp" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-e6f3f7ad-d18a-4e11-abc1-3d778d8e70c0"/> <cybox:Observable idref="mandiant:observable-ba5f0800-89ac-4ed1-9902-abd6f2744200"/> <cybox:Observable idref="mandiant:observable-3747f1b4-c8a6-40be-957b-335ee4fd8bb2"/> <cybox:Observable idref="mandiant:observable-179caa2f-c6d5-48b0-ba2e-cd465be83cf0"/> <cybox:Observable idref="mandiant:observable-cf009b8f-ab73-4c0d-9def-f312899c1b0a"/> <cybox:Observable idref="mandiant:observable-7d1800de-8551-4507-b746-5326e1cfbcfa"/> <cybox:Observable idref="mandiant:observable-dc8e72fa-a85d-4127-9252-27bea678966b"/> <cybox:Observable idref="mandiant:observable-4b2c705a-739e-4dcc-bd75-0ae489ce9db4"/> <cybox:Observable idref="mandiant:observable-6ea29327-7971-49f2-9efa-82ac4960b421"/> <cybox:Observable idref="mandiant:observable-49beeb96-c46c-4a47-8d62-1f9e2c941cca"/> <cybox:Observable idref="mandiant:observable-f62b52d9-5641-45fa-a737-c78c8b9d0ed0"/> <cybox:Observable idref="mandiant:observable-2729ef72-778f-4428-8fa9-280dac3d8420"/> <cybox:Observable idref="mandiant:observable-3ffed991-d9d3-490f-8fee-a97fe9bf5970"/> <cybox:Observable idref="mandiant:observable-8a6dcc6e-254a-4c37-97ce-863d019cb9f0"/> <cybox:Observable idref="mandiant:observable-f3dd3f24-d63d-47e3-bbfb-3175dd88979a"/> <cybox:Observable idref="mandiant:observable-0bb9b519-ad67-4149-a39e-5f08d6127517"/> <cybox:Observable idref="mandiant:observable-dc17be00-19a1-4f1d-8951-d140c7bac393"/> <cybox:Observable idref="mandiant:observable-24ca9d19-1173-4619-a3ef-7c038af11a59"/> <cybox:Observable idref="mandiant:observable-12f50a91-cf56-4339-9745-fc021c59ac4e"/> <cybox:Observable idref="mandiant:observable-a0e7f984-b460-4bcd-a853-1cd11b80be44"/> <cybox:Observable idref="mandiant:observable-4ef5a6ce-7bf1-45b4-80ed-dad7b63500a7"/> <cybox:Observable idref="mandiant:observable-4f4d4c51-70bb-4cd1-8b42-3610ab588151"/> <cybox:Observable idref="mandiant:observable-d0073d98-69b8-4bbf-b35c-2f1fe58683ef"/> <cybox:Observable idref="mandiant:observable-4d0dddd5-9f06-48c1-8a11-71719d0eab58"/> <cybox:Observable idref="mandiant:observable-04012e8a-dd20-4241-8b10-d169b49100a3"/> <cybox:Observable idref="mandiant:observable-56e1835d-6a31-48d0-9b16-701107b852bd"/> <cybox:Observable idref="mandiant:observable-4a94dbda-22c4-4131-b2ec-e3f50bf2c1ba"/> <cybox:Observable idref="mandiant:observable-d642e377-9db3-4944-af9e-13ac7c7b76b6"/> <cybox:Observable idref="mandiant:observable-ceb0314c-35c0-4f54-b777-0067d5cd8ae8"/> <cybox:Observable idref="mandiant:observable-3cd72dd3-11b8-4f57-b2e6-d10cb333e399"/> <cybox:Observable id="mandiant:observable-6d507bd5-a1bd-468d-8c59-7b28a5c245a9"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-ab75a563-33cc-4407-9824-fe285fde78d1"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-a628745b-2579-4691-9b9a-affb86eda06a"/> <cybox:Observable idref="mandiant:observable-fbffcbcf-d45d-4742-9481-baa04f1ed7e2"/> <cybox:Observable idref="mandiant:observable-bf86bf44-29de-45d0-80bd-15e34e039177"/> <cybox:Observable idref="mandiant:observable-8fdbe706-8440-4da8-a274-66801df2fd41"/> <cybox:Observable idref="mandiant:observable-cc281db0-c3d6-447b-9bed-b7e2c7e04610"/> <cybox:Observable idref="mandiant:observable-ec540528-1563-476d-aaff-270fe2df5e3f"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-97708bcc-2519-45b2-8c2b-049ca8591830"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-bb7618cb-7f2e-4690-80f9-4f1572af0758"/> <cybox:Observable idref="mandiant:observable-6b9970f1-0c16-43dc-9c43-f18df719db31"/> <cybox:Observable idref="mandiant:observable-53fad508-e8dd-40aa-98ca-64a4bfd0811c"/> <cybox:Observable idref="mandiant:observable-29f43d88-956a-46fc-abb9-e8861f4a8e82"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-00f0836a-aae2-4b11-b491-d7938ec3dcf6"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-ebbc6af0-5c1a-40a6-b78c-81089cd11efa"/> <cybox:Observable idref="mandiant:observable-2cca76a1-73b6-4290-8f5e-9656bb5fe9cb"/> <cybox:Observable idref="mandiant:observable-d1a5bda6-8925-4d23-96be-0893b69790b3"/> <cybox:Observable idref="mandiant:observable-46119143-1fd1-470c-92e5-72c1883ad643"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-edf55d61-7e5d-4c11-94e0-0d19b8d379fa"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-390c3c46-79bd-468d-872f-e4a2824aa022"/> <cybox:Observable idref="mandiant:observable-2dab46a0-3ad2-4b6b-8074-56922ffdfead"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-41b9b643-8fe7-48aa-9a26-db3a622216cb"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-bbe6f528-ecea-41c1-a81d-beef8c258d68"/> <cybox:Observable idref="mandiant:observable-4d0d3741-1f1a-4a04-89c4-ebcf3e35450a"/> <cybox:Observable idref="mandiant:observable-70ca6c4e-cae9-4f9e-b263-e55ec702370d"/> <cybox:Observable id="mandiant:observable-9c42a96b-65bf-4bcd-b646-f725a035cdc8"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-a41d3d55-ef0f-4b3b-bda6-fd3ec5e08e74"/> <cybox:Observable idref="mandiant:observable-ad30afb0-7d59-40b1-a4a1-72585d1f2a8d"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-4e8f0d36-85b2-428b-bb2e-faed671addfc"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-6932ca1a-5548-47e4-991b-ec47c0b2a667"/> <cybox:Observable idref="mandiant:observable-bac524cd-cd89-4fdc-b285-f6f999fb3fd9"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="d8240090-affd-466e-a39c-64add5b98813" last-modified="2013-02-10T13:00:00"> <short_description>AURIGA (FAMILY)</short_description> <description>The AURIGA malware family shares a large amount of functionality with the BANGAT backdoor. The malware family contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. The AURIGA malware contains a driver component which is used to inject the malware DLL into other processes. This driver can also perform process and IP connection hiding. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the "Microsoft corp" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">AURIGA</link> </links> <definition> <Indicator operator="OR" id="0ce3f149-586a-4e4b-a833-074bfe438557"> <IndicatorItem id="e6f3f7ad-d18a-4e11-abc1-3d778d8e70c0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3b0dad4763f6151515d819ae04a1f0f6</Content> </IndicatorItem> <IndicatorItem id="ba5f0800-89ac-4ed1-9902-abd6f2744200" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">fd66b9718e650978eb0fff32b9edb377</Content> </IndicatorItem> <IndicatorItem id="3747f1b4-c8a6-40be-957b-335ee4fd8bb2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4e21010805d397aa848cfe63ab0e5eb9</Content> </IndicatorItem> <IndicatorItem id="179caa2f-c6d5-48b0-ba2e-cd465be83cf0" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e83cc769fc5601856d26c88dcb20458b</Content> </IndicatorItem> <IndicatorItem id="cf009b8f-ab73-4c0d-9def-f312899c1b0a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f662c8ae9a0257e68ae52cf354ebab43</Content> </IndicatorItem> <IndicatorItem id="7d1800de-8551-4507-b746-5326e1cfbcfa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cdcd3a09ee99cff9a58efea5ccbe2bed</Content> </IndicatorItem> <IndicatorItem id="dc8e72fa-a85d-4127-9252-27bea678966b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6b31344b40e2af9c9ee3ba707558c14e</Content> </IndicatorItem> <IndicatorItem id="4b2c705a-739e-4dcc-bd75-0ae489ce9db4" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">system32\sam.sav</Content> <Comment>Keylog File created by some variants</Comment> </IndicatorItem> <IndicatorItem id="6ea29327-7971-49f2-9efa-82ac4960b421" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">Local Settings\Temp\sam.dat</Content> </IndicatorItem> <IndicatorItem id="49beeb96-c46c-4a47-8d62-1f9e2c941cca" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">Local Settings\Temp\~hhC2F~.tmp</Content> </IndicatorItem> <IndicatorItem id="f62b52d9-5641-45fa-a737-c78c8b9d0ed0" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\system32\netui.dll</Content> </IndicatorItem> <IndicatorItem id="2729ef72-778f-4428-8fa9-280dac3d8420" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\system32\msxml0.dll</Content> </IndicatorItem> <IndicatorItem id="3ffed991-d9d3-490f-8fee-a97fe9bf5970" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\~ISUN32.EXE</Content> </IndicatorItem> <IndicatorItem id="8a6dcc6e-254a-4c37-97ce-863d019cb9f0" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\system32\ati.exe</Content> </IndicatorItem> <IndicatorItem id="f3dd3f24-d63d-47e3-bbfb-3175dd88979a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">riodrv32.sys</Content> </IndicatorItem> <IndicatorItem id="0bb9b519-ad67-4149-a39e-5f08d6127517" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">~temp.pl</Content> </IndicatorItem> <IndicatorItem id="dc17be00-19a1-4f1d-8951-d140c7bac393" condition="contains"> <Context document="DriverItem" search="DriverItem/DriverName" type="mir"/> <Content type="string">riodrv32.sys</Content> </IndicatorItem> <IndicatorItem id="24ca9d19-1173-4619-a3ef-7c038af11a59" condition="is"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">HKEY_LOCAL_MACHINE\Software\riodriv</Content> </IndicatorItem> <IndicatorItem id="12f50a91-cf56-4339-9745-fc021c59ac4e" condition="is"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">HKEY_LOCAL_MACHINE\Software\riodriv16\TEMP</Content> </IndicatorItem> <IndicatorItem id="a0e7f984-b460-4bcd-a853-1cd11b80be44" condition="is"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">HKEY_LOCAL_MACHINE\Software\riodriv16\DEL</Content> </IndicatorItem> <IndicatorItem id="4ef5a6ce-7bf1-45b4-80ed-dad7b63500a7" condition="is"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">HKEY_LOCAL_MACHINE\Software\riodriv32\TEMP</Content> </IndicatorItem> <IndicatorItem id="4f4d4c51-70bb-4cd1-8b42-3610ab588151" condition="is"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">HKEY_LOCAL_MACHINE\Software\riodriv32\DEL</Content> </IndicatorItem> <IndicatorItem id="d0073d98-69b8-4bbf-b35c-2f1fe58683ef" condition="is"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">HKEY_LOCAL_MACHINE\Software\riodriv64</Content> </IndicatorItem> <IndicatorItem id="4d0dddd5-9f06-48c1-8a11-71719d0eab58" condition="contains"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">rio32drv</Content> </IndicatorItem> <IndicatorItem id="04012e8a-dd20-4241-8b10-d169b49100a3" condition="contains"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">rio16drv</Content> </IndicatorItem> <IndicatorItem id="56e1835d-6a31-48d0-9b16-701107b852bd" condition="is"> <Context document="ServiceItem" search="ServiceItem/name" type="mir"/> <Content type="string">rio32drv</Content> </IndicatorItem> <IndicatorItem id="4a94dbda-22c4-4131-b2ec-e3f50bf2c1ba" condition="is"> <Context document="ServiceItem" search="ServiceItem/name" type="mir"/> <Content type="string">riodrv16</Content> </IndicatorItem> <IndicatorItem id="d642e377-9db3-4944-af9e-13ac7c7b76b6" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">riodrv32.sys</Content> </IndicatorItem> <IndicatorItem id="ceb0314c-35c0-4f54-b777-0067d5cd8ae8" condition="contains"> <Context document="ServiceItem" search="ServiceItem/serviceDLL" type="mir"/> <Content type="string">Nwsapagent32.dll</Content> </IndicatorItem> <IndicatorItem id="3cd72dd3-11b8-4f57-b2e6-d10cb333e399" condition="contains"> <Context document="DriverItem" search="DriverItem/DriverName" type="mir"/> <Content type="string">rio16drv.sys</Content> </IndicatorItem> <Indicator operator="AND" id="6d507bd5-a1bd-468d-8c59-7b28a5c245a9"> <Indicator operator="OR" id="ab75a563-33cc-4407-9824-fe285fde78d1"> <IndicatorItem id="a628745b-2579-4691-9b9a-affb86eda06a" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Nwsapagent32.dll</Content> </IndicatorItem> <IndicatorItem id="fbffcbcf-d45d-4742-9481-baa04f1ed7e2" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">netui.dll</Content> </IndicatorItem> <IndicatorItem id="bf86bf44-29de-45d0-80bd-15e34e039177" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">msxml0.dll</Content> </IndicatorItem> <IndicatorItem id="8fdbe706-8440-4da8-a274-66801df2fd41" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_mismatch</Content> <Comment>PE Header Anomaly identified in 20% samples.</Comment> </IndicatorItem> <IndicatorItem id="cc281db0-c3d6-447b-9bed-b7e2c7e04610" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 80% samples.</Comment> </IndicatorItem> <IndicatorItem id="ec540528-1563-476d-aaff-270fe2df5e3f" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 20% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="97708bcc-2519-45b2-8c2b-049ca8591830"> <IndicatorItem id="bb7618cb-7f2e-4690-80f9-4f1572af0758" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">110592</Content> </IndicatorItem> <IndicatorItem id="6b9970f1-0c16-43dc-9c43-f18df719db31" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">81920</Content> </IndicatorItem> <IndicatorItem id="53fad508-e8dd-40aa-98ca-64a4bfd0811c" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">94208</Content> </IndicatorItem> <IndicatorItem id="29f43d88-956a-46fc-abb9-e8861f4a8e82" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">96136</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="00f0836a-aae2-4b11-b491-d7938ec3dcf6"> <IndicatorItem id="ebbc6af0-5c1a-40a6-b78c-81089cd11efa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-06-25T00:29:11Z</Content> </IndicatorItem> <IndicatorItem id="2cca76a1-73b6-4290-8f5e-9656bb5fe9cb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-08-04T03:35:45Z</Content> </IndicatorItem> <IndicatorItem id="d1a5bda6-8925-4d23-96be-0893b69790b3" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-03-01T08:26:01Z</Content> </IndicatorItem> <IndicatorItem id="46119143-1fd1-470c-92e5-72c1883ad643" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-06T13:54:41Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="edf55d61-7e5d-4c11-94e0-0d19b8d379fa"> <IndicatorItem id="390c3c46-79bd-468d-872f-e4a2824aa022" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">17408</Content> </IndicatorItem> <IndicatorItem id="2dab46a0-3ad2-4b6b-8074-56922ffdfead" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-04-28T10:00:00Z TO 2009-04-28T16:00:00Z</Content> </IndicatorItem> </Indicator> <Indicator operator="AND" id="41b9b643-8fe7-48aa-9a26-db3a622216cb"> <IndicatorItem id="bbe6f528-ecea-41c1-a81d-beef8c258d68" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright" type="mir"/> <Content type="string">(C) S3/Diamond Multimedia Systems. All rights reserved.</Content> </IndicatorItem> <IndicatorItem id="4d0d3741-1f1a-4a04-89c4-ebcf3e35450a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/Language" type="mir"/> <Content type="string">English (United States)</Content> </IndicatorItem> <IndicatorItem id="70ca6c4e-cae9-4f9e-b263-e55ec702370d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir"/> <Content type="string">RioDrv Usb Driver</Content> </IndicatorItem> <Indicator operator="OR" id="9c42a96b-65bf-4bcd-b646-f725a035cdc8"> <IndicatorItem id="a41d3d55-ef0f-4b3b-bda6-fd3ec5e08e74" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">riodrv32.sys</Content> </IndicatorItem> <IndicatorItem id="ad30afb0-7d59-40b1-a4a1-72585d1f2a8d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir"/> <Content type="string">riodrv32</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="4e8f0d36-85b2-428b-bb2e-faed671addfc"> <IndicatorItem id="6932ca1a-5548-47e4-991b-ec47c0b2a667" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName" type="mir"/> <Content type="string">S3/Diamond Multimedia Systems</Content> </IndicatorItem> <IndicatorItem id="bac524cd-cd89-4fdc-b285-f6f999fb3fd9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName" type="mir"/> <Content type="string">S3/Diamond Multimedia Systems</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-330cf804-e267-42cb-820f-af444f1e9fd8"> <indicator:Title>TARSIP-MOON (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Backdoor</indicator:Type> <indicator:Description> The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-MOON family is distinguished by the presence of 'moon' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-5cc3ed5a-17cd-4bc6-bc3d-554b92cda3b4"/> <cybox:Observable idref="mandiant:observable-ef95aa56-e653-4357-9627-99df04400546"/> <cybox:Observable idref="mandiant:observable-ef3492cb-db10-40bb-9898-22f7a54c4b5f"/> <cybox:Observable idref="mandiant:observable-85ce02c6-16ec-4927-8477-20bd38b0cdf2"/> <cybox:Observable idref="mandiant:observable-c1fd7932-8473-40fc-b598-dac2954be212"/> <cybox:Observable idref="mandiant:observable-2b7c7b9f-dc3d-4f92-9ef7-c4eea56b7a48"/> <cybox:Observable idref="mandiant:observable-e080662b-2364-41a2-a020-cb1b0c971e91"/> <cybox:Observable idref="mandiant:observable-a82948a5-8b29-4135-aac2-60133ea45c75"/> <cybox:Observable idref="mandiant:observable-9dd97cd1-a202-423e-9d4d-207e5edb8d14"/> <cybox:Observable idref="mandiant:observable-d5cb1b59-03b0-45dd-9b85-75ee78f90044"/> <cybox:Observable idref="mandiant:observable-86c51237-c66d-48c1-a341-cf8c0d91c60a"/> <cybox:Observable idref="mandiant:observable-1e0981b5-b053-4b0a-8211-a6cf7c3b1a3f"/> <cybox:Observable idref="mandiant:observable-5b2f7279-ce22-4b70-af8d-8923437849fd"/> <cybox:Observable idref="mandiant:observable-347bfe1f-2df9-4c96-9513-2d7a3c0d74f1"/> <cybox:Observable idref="mandiant:observable-2d2d3672-e987-4d69-b253-7d28e39629d8"/> <cybox:Observable idref="mandiant:observable-c9bf6fef-3417-4a0d-94ee-7f34aa31c707"/> <cybox:Observable idref="mandiant:observable-7e10c0e2-11dd-44bc-a282-9ed6f9bb4310"/> <cybox:Observable idref="mandiant:observable-f6db7186-d473-41a0-812e-4d264d834fa8"/> <cybox:Observable idref="mandiant:observable-81ae4127-cbeb-4c91-8400-748c5127a733"/> <cybox:Observable idref="mandiant:observable-7f53e613-ff9b-491f-8ca9-ba55e3a4b9c3"/> <cybox:Observable idref="mandiant:observable-4adc3ef2-d407-4a82-90e6-8dce6ca01c68"/> <cybox:Observable idref="mandiant:observable-a62c6ba2-03ce-4e80-bd8a-45138fe31911"/> <cybox:Observable idref="mandiant:observable-13bfb143-a945-42da-b03a-3224843729bf"/> <cybox:Observable idref="mandiant:observable-3c1cba50-dbda-47e1-ab8a-40960cac9d39"/> <cybox:Observable idref="mandiant:observable-f81d536b-7d51-4b41-bd87-21c7d4d11719"/> <cybox:Observable idref="mandiant:observable-095f937e-ef8d-4dac-bbff-3d042e7b5151"/> <cybox:Observable idref="mandiant:observable-a3cab055-1cd0-43cc-ba82-9dd4bd105656"/> <cybox:Observable idref="mandiant:observable-feb4f745-5dcb-4cc4-93d2-fde7b172c5c2"/> <cybox:Observable idref="mandiant:observable-c87057f3-4180-4d85-9d98-e9922705fa6c"/> <cybox:Observable idref="mandiant:observable-ad3076d7-7912-4eee-b9b5-450d09f9b840"/> <cybox:Observable id="mandiant:observable-0e1d2df2-f03a-4da5-8bcc-a63f78d38877"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-636e4e8a-cb6a-45a5-9df1-4f20e1132f71"/> <cybox:Observable idref="mandiant:observable-14a13876-3ab2-4227-ad8c-451dcd0519f0"/> <cybox:Observable id="mandiant:observable-92dcbcc1-b7aa-4e87-aa2e-3ba81e3cedee"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-b37cc63f-6502-4977-9d81-5608bc17d42d"/> <cybox:Observable idref="mandiant:observable-2ce40817-edf3-4219-aa01-80471b82c2c9"/> <cybox:Observable idref="mandiant:observable-d03530b4-8d5e-41fe-896f-301ca58076cc"/> <cybox:Observable idref="mandiant:observable-ddaccedf-90d7-4224-9d52-fed8d2a8082d"/> <cybox:Observable idref="mandiant:observable-6c7dc0e9-79a6-4be8-bf71-dff9f626ec7d"/> <cybox:Observable idref="mandiant:observable-ba2b6ece-f761-4644-b707-70ff165877ec"/> <cybox:Observable idref="mandiant:observable-1dd4cb8c-b1f8-494a-be6a-ca93b00743ac"/> <cybox:Observable idref="mandiant:observable-cd3a79a6-d176-41d6-a785-acba8e83c52b"/> <cybox:Observable idref="mandiant:observable-7d00969b-768d-4df4-a890-06c7030f5223"/> <cybox:Observable idref="mandiant:observable-650d994c-739c-4969-9251-49bfa8dcb102"/> <cybox:Observable idref="mandiant:observable-336be1c5-f3f2-4e47-a56e-011577a13c2b"/> <cybox:Observable idref="mandiant:observable-a57d27fb-ee5f-48e7-bc8b-eb28b72e0598"/> <cybox:Observable idref="mandiant:observable-2f5f27d2-3f7a-41ff-a21a-67ed4ad5dc2c"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-6ffbea9a-28a8-4f64-9da6-135e7701da4b"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-4a52cb2b-9c78-4ac0-8b97-cc054a54a3f0"/> <cybox:Observable idref="mandiant:observable-4a510c2d-0a0a-41f9-a780-0b9a184e73b9"/> <cybox:Observable idref="mandiant:observable-9c0b99a8-1b3d-48cc-b9bf-f40feffe72cd"/> <cybox:Observable idref="mandiant:observable-e993d0d6-61f8-4fb4-93ea-db2666d6e843"/> <cybox:Observable idref="mandiant:observable-80bb7921-4817-48d3-878a-6712dd7faace"/> <cybox:Observable idref="mandiant:observable-bee37401-87df-4fe3-8bec-e38286e9b821"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-c91fd813-be30-4331-aff5-09c168bc5c64"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-4f928e37-08d2-46f1-a183-a3fd4818e8be"/> <cybox:Observable idref="mandiant:observable-10b6b09a-7e45-45c3-b833-00005caf0ea9"/> <cybox:Observable idref="mandiant:observable-9a15ea1c-c2b2-447b-9011-b1e8542433d5"/> <cybox:Observable idref="mandiant:observable-42946ae8-b28a-482f-9a84-bdde2098a5dc"/> <cybox:Observable idref="mandiant:observable-b972ea4d-c4c9-4fab-9e57-8478764f5c16"/> <cybox:Observable idref="mandiant:observable-3b8c093d-414f-49a9-b7dd-22b68a238726"/> <cybox:Observable idref="mandiant:observable-d19129ad-cb3e-48c5-9188-c355b342aca6"/> <cybox:Observable idref="mandiant:observable-65772a1c-3690-451c-bafe-869944742746"/> <cybox:Observable idref="mandiant:observable-c79d6f9a-7528-4878-87e4-1d75d5d31b5c"/> <cybox:Observable idref="mandiant:observable-e787f4b2-b375-4a86-a870-b1a0fe91cbe5"/> <cybox:Observable idref="mandiant:observable-9acd4092-e331-4503-be88-5ab9f3e50d4d"/> <cybox:Observable idref="mandiant:observable-77cb33c7-e73f-4c38-8108-9b4f4be6e36d"/> <cybox:Observable idref="mandiant:observable-341631f1-5d80-4471-b7cb-f67e846461bf"/> <cybox:Observable idref="mandiant:observable-2a379e3d-7a56-413f-9970-9f42d095e052"/> <cybox:Observable idref="mandiant:observable-0770e7b6-6b92-40e4-812a-6ef828fbcb1c"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="e928aac0-9f71-4adf-9978-4177345ec610" last-modified="2013-02-10T13:00:00"> <short_description>TARSIP-MOON (FAMILY)</short_description> <description>The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-MOON family is distinguished by the presence of 'moon' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Backdoor</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">TARSIP-MOON</link> </links> <definition> <Indicator operator="OR" id="330cf804-e267-42cb-820f-af444f1e9fd8"> <IndicatorItem id="5cc3ed5a-17cd-4bc6-bc3d-554b92cda3b4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">898a8a43c8708961094944fb42c278ab</Content> </IndicatorItem> <IndicatorItem id="ef95aa56-e653-4357-9627-99df04400546" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">07fe9f901fb4f14e16fb5d114a92b0fc</Content> </IndicatorItem> <IndicatorItem id="ef3492cb-db10-40bb-9898-22f7a54c4b5f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2e8484f59899046452392c236460ebb6</Content> </IndicatorItem> <IndicatorItem id="85ce02c6-16ec-4927-8477-20bd38b0cdf2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9d1d58e370bea4b5e79a1f914516cbc0</Content> </IndicatorItem> <IndicatorItem id="c1fd7932-8473-40fc-b598-dac2954be212" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0908d8b3e459551039bade50930e4c1b</Content> </IndicatorItem> <IndicatorItem id="2b7c7b9f-dc3d-4f92-9ef7-c4eea56b7a48" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">950234183528ce107d65b700be1bbbd3</Content> </IndicatorItem> <IndicatorItem id="e080662b-2364-41a2-a020-cb1b0c971e91" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a5d4ebc0285f0213e0c29d23bc410889</Content> </IndicatorItem> <IndicatorItem id="a82948a5-8b29-4135-aac2-60133ea45c75" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">494637c4ac6d04bb50a681e87b81043f</Content> </IndicatorItem> <IndicatorItem id="9dd97cd1-a202-423e-9d4d-207e5edb8d14" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6c9c9e40683467f60b910d5bad5285ae</Content> </IndicatorItem> <IndicatorItem id="d5cb1b59-03b0-45dd-9b85-75ee78f90044" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3d61d23c2be95177937aa50769c0c512</Content> </IndicatorItem> <IndicatorItem id="86c51237-c66d-48c1-a341-cf8c0d91c60a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c91eacab7655870764d13ba741aa9a73</Content> </IndicatorItem> <IndicatorItem id="1e0981b5-b053-4b0a-8211-a6cf7c3b1a3f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">588c40520a3cea27d2b35cd1fa05e23f</Content> </IndicatorItem> <IndicatorItem id="5b2f7279-ce22-4b70-af8d-8923437849fd" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6a88f170ab6cb0f9b3252adc61b4f487</Content> </IndicatorItem> <IndicatorItem id="347bfe1f-2df9-4c96-9513-2d7a3c0d74f1" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">565b6fedccab184c92e40483ea49a25f</Content> </IndicatorItem> <IndicatorItem id="2d2d3672-e987-4d69-b253-7d28e39629d8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">feb406ff01d9fd5abc5ea079e0543e31</Content> </IndicatorItem> <IndicatorItem id="c9bf6fef-3417-4a0d-94ee-7f34aa31c707" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f4bea18e9d38ab9fa7c1cf6eea2bdc79</Content> </IndicatorItem> <IndicatorItem id="7e10c0e2-11dd-44bc-a282-9ed6f9bb4310" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8d81eeaeb0bd74a1faab257079452078</Content> </IndicatorItem> <IndicatorItem id="f6db7186-d473-41a0-812e-4d264d834fa8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ca9c1f8d709ed34d388dc7cba2bd7602</Content> </IndicatorItem> <IndicatorItem id="81ae4127-cbeb-4c91-8400-748c5127a733" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">95f25d3afc5370f5d9fd8e65c17d3599</Content> </IndicatorItem> <IndicatorItem id="7f53e613-ff9b-491f-8ca9-ba55e3a4b9c3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b883f8e5a1420d1f511266b9253c11c4</Content> </IndicatorItem> <IndicatorItem id="4adc3ef2-d407-4a82-90e6-8dce6ca01c68" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2bd02b41817d227058522cca40acd390</Content> </IndicatorItem> <IndicatorItem id="a62c6ba2-03ce-4e80-bd8a-45138fe31911" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">74b3ee9f3f6c52413db6e5c9ace34893</Content> </IndicatorItem> <IndicatorItem id="13bfb143-a945-42da-b03a-3224843729bf" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c4188c3bb6982d41aa783c499113a8e3</Content> </IndicatorItem> <IndicatorItem id="3c1cba50-dbda-47e1-ab8a-40960cac9d39" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2acfc925e66e1b820a67c4d0f3e6ae8c</Content> </IndicatorItem> <IndicatorItem id="f81d536b-7d51-4b41-bd87-21c7d4d11719" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8bf9698c18b2aa23f71444af2571a6ad</Content> </IndicatorItem> <IndicatorItem id="095f937e-ef8d-4dac-bbff-3d042e7b5151" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">34ca3fbcaac48498aeff6035b172bf69</Content> </IndicatorItem> <IndicatorItem id="a3cab055-1cd0-43cc-ba82-9dd4bd105656" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6808ec6dbb23f0fa7637c108f44c5c80</Content> </IndicatorItem> <IndicatorItem id="feb4f745-5dcb-4cc4-93d2-fde7b172c5c2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bf0d5aff9c1f33e089c9c85f03c6ba8a</Content> </IndicatorItem> <IndicatorItem id="c87057f3-4180-4d85-9d98-e9922705fa6c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7a2692cafec377c444bc3147fc43e57f</Content> </IndicatorItem> <IndicatorItem id="ad3076d7-7912-4eee-b9b5-450d09f9b840" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">MoonService2.dll</Content> </IndicatorItem> <IndicatorItem id="4e169fbc-be2e-410d-bfa3-6676937fed7d" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Shell is not exist or stopped!</Content> </IndicatorItem> <IndicatorItem id="e42105cf-324d-4dc6-ab46-c9c7fa70dc63" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">Can not open file on client!</Content> </IndicatorItem> <IndicatorItem id="06fe0f22-cd53-4475-afc2-ba0f22615557" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\pjts2008\moon\Release\MoonDLL2.pdb</Content> </IndicatorItem> <IndicatorItem id="e25a955a-1756-4886-ae24-a0e2f455b906" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\pjts2008\moon\Release\MoonClient2.pdb</Content> </IndicatorItem> <IndicatorItem id="812f42dd-d34c-4209-a211-57708c7e747a" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\code\moon1.5\Release\MoonClient2.pdb</Content> </IndicatorItem> <IndicatorItem id="50177099-34c0-45f9-ac09-6de4a249c3ce" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\XiaoME\SunCloud-Code\WinHTTP 1.2.5\Release\MoonDll.pdb</Content> </IndicatorItem> <IndicatorItem id="71845e68-3977-4fe0-b75c-74cf736b671e" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\C\moon1.5\Release\MoonDll.pdb</Content> </IndicatorItem> <IndicatorItem id="b96820dd-a93a-40ac-8868-03e543779932" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\C\moon1.5\Release\MoonClient2.pdb</Content> </IndicatorItem> <IndicatorItem id="7aa29d02-3f1d-44c6-9a2c-8dc9bbdbabe6" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\C\moon1.5\Release\MoonService2.pdb</Content> </IndicatorItem> <IndicatorItem id="3edc10e5-7abc-4ecf-bc2b-efb5493a1dc8" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">D:\M tools\Moon\Release\MoonClient2.pdb</Content> </IndicatorItem> <IndicatorItem id="9b990209-254b-452d-8270-a1e3707f4f8b" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\C\moon1.5\Release\MoonDLL2.pdb</Content> </IndicatorItem> <IndicatorItem id="1d819b3d-e279-4d77-a6ee-6ef0f45f4b7d" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">E:\XiaoME\SunCloud-Code\moon1.5\Release\MoonDLL2.pdb</Content> </IndicatorItem> <Indicator operator="AND" id="0e1d2df2-f03a-4da5-8bcc-a63f78d38877"> <IndicatorItem id="636e4e8a-cb6a-45a5-9df1-4f20e1132f71" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_mismatch</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <IndicatorItem id="14a13876-3ab2-4227-ad8c-451dcd0519f0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <Indicator operator="OR" id="92dcbcc1-b7aa-4e87-aa2e-3ba81e3cedee"> <IndicatorItem id="b37cc63f-6502-4977-9d81-5608bc17d42d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">121.exe</Content> </IndicatorItem> <IndicatorItem id="2ce40817-edf3-4219-aa01-80471b82c2c9" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">162.exe</Content> </IndicatorItem> <IndicatorItem id="d03530b4-8d5e-41fe-896f-301ca58076cc" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">download.exe</Content> </IndicatorItem> <IndicatorItem id="ddaccedf-90d7-4224-9d52-fed8d2a8082d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">igfxper.exe</Content> </IndicatorItem> <IndicatorItem id="6c7dc0e9-79a6-4be8-bf71-dff9f626ec7d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">md2.dll</Content> </IndicatorItem> <IndicatorItem id="ba2b6ece-f761-4644-b707-70ff165877ec" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">mfevps.exe</Content> </IndicatorItem> <IndicatorItem id="1dd4cb8c-b1f8-494a-be6a-ca93b00743ac" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">moon.png</Content> </IndicatorItem> <IndicatorItem id="cd3a79a6-d176-41d6-a785-acba8e83c52b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">nbstat.exe</Content> </IndicatorItem> <IndicatorItem id="7d00969b-768d-4df4-a890-06c7030f5223" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ntdl.exe</Content> </IndicatorItem> <IndicatorItem id="650d994c-739c-4969-9251-49bfa8dcb102" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ntshrui.dll</Content> </IndicatorItem> <IndicatorItem id="336be1c5-f3f2-4e47-a56e-011577a13c2b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">sap.dll</Content> </IndicatorItem> <IndicatorItem id="a57d27fb-ee5f-48e7-bc8b-eb28b72e0598" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">Slsvc.exe</Content> </IndicatorItem> <IndicatorItem id="2f5f27d2-3f7a-41ff-a21a-67ed4ad5dc2c" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">win6C.exe</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="6ffbea9a-28a8-4f64-9da6-135e7701da4b"> <IndicatorItem id="4a52cb2b-9c78-4ac0-8b97-cc054a54a3f0" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">145900 TO 146000</Content> </IndicatorItem> <IndicatorItem id="4a510c2d-0a0a-41f9-a780-0b9a184e73b9" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">149540</Content> </IndicatorItem> <IndicatorItem id="9c0b99a8-1b3d-48cc-b9bf-f40feffe72cd" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">150564</Content> </IndicatorItem> <IndicatorItem id="e993d0d6-61f8-4fb4-93ea-db2666d6e843" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">151588</Content> </IndicatorItem> <IndicatorItem id="80bb7921-4817-48d3-878a-6712dd7faace" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">157732</Content> </IndicatorItem> <IndicatorItem id="bee37401-87df-4fe3-8bec-e38286e9b821" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">158000 TO 160400</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="c91fd813-be30-4331-aff5-09c168bc5c64"> <IndicatorItem id="4f928e37-08d2-46f1-a183-a3fd4818e8be" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-02-23T14:23:21Z</Content> </IndicatorItem> <IndicatorItem id="10b6b09a-7e45-45c3-b833-00005caf0ea9" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-24T03:43:02Z</Content> </IndicatorItem> <IndicatorItem id="9a15ea1c-c2b2-447b-9011-b1e8542433d5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-04-01T17:41:45Z</Content> </IndicatorItem> <IndicatorItem id="42946ae8-b28a-482f-9a84-bdde2098a5dc" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-04-13T09:22:06Z</Content> </IndicatorItem> <IndicatorItem id="b972ea4d-c4c9-4fab-9e57-8478764f5c16" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-04-20T07:00:00Z TO 2011-04-20T14:00:00Z</Content> </IndicatorItem> <IndicatorItem id="3b8c093d-414f-49a9-b7dd-22b68a238726" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-04-21T07:16:51Z</Content> </IndicatorItem> <IndicatorItem id="d19129ad-cb3e-48c5-9188-c355b342aca6" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-05-04T16:10:36Z</Content> </IndicatorItem> <IndicatorItem id="65772a1c-3690-451c-bafe-869944742746" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-05-11T08:39:16Z</Content> </IndicatorItem> <IndicatorItem id="c79d6f9a-7528-4878-87e4-1d75d5d31b5c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-05-31T08:37:56Z</Content> </IndicatorItem> <IndicatorItem id="e787f4b2-b375-4a86-a870-b1a0fe91cbe5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-02T01:41:52Z</Content> </IndicatorItem> <IndicatorItem id="9acd4092-e331-4503-be88-5ab9f3e50d4d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-02T01:42:07Z</Content> </IndicatorItem> <IndicatorItem id="77cb33c7-e73f-4c38-8108-9b4f4be6e36d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-06-16T00:36:06Z</Content> </IndicatorItem> <IndicatorItem id="341631f1-5d80-4471-b7cb-f67e846461bf" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-07-11T03:38:22Z</Content> </IndicatorItem> <IndicatorItem id="2a379e3d-7a56-413f-9970-9f42d095e052" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-09-22T13:52:10Z</Content> </IndicatorItem> <IndicatorItem id="0770e7b6-6b92-40e4-812a-6ef828fbcb1c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-04-12T15:02:26Z</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-8a57160c-53f6-4782-9c2f-d4b54c3e4201"> <indicator:Title>GOGGLES (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Downloader</indicator:Type> <indicator:Description> A family of downloader malware, that retrieves an encoded payload from a fixed location, usually in the form of a file with the .jpg extension. Some variants have just an .exe that acts as a downloader, others have an .exe launcher that runs as a service and then loads an associated .dll of the same name that acts as the downloader. This IOC is targeted at the downloaders only. After downloading the file, the malware decodes the downloaded payload into an .exe file and launches it. The malware usually stages the files it uses in the %TEMP% directory or the %WINDIR%\Temp directory. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-6bf6aeb9-eb33-4691-b18b-936aa4a975fa"/> <cybox:Observable idref="mandiant:observable-a897fe63-2220-4610-8fff-9c2b9e753633"/> <cybox:Observable idref="mandiant:observable-79d95774-eb93-4cb6-8395-59e255966c57"/> <cybox:Observable idref="mandiant:observable-bf0af872-a1d0-4b31-b8e8-76e092dd2ca7"/> <cybox:Observable idref="mandiant:observable-c8f401fa-9e65-48ba-bc69-ed4ae8504c3a"/> <cybox:Observable idref="mandiant:observable-9b4f8d5c-0177-4ce5-9d7b-bd7a1f8a8d78"/> <cybox:Observable idref="mandiant:observable-737eed55-4f2e-4f32-b572-9f55a1b62ef6"/> <cybox:Observable idref="mandiant:observable-8c6ee6bc-06df-4a4c-b7da-2a57dc2b16f6"/> <cybox:Observable idref="mandiant:observable-efd06593-64ae-4d88-b977-3cd5ecbbea32"/> <cybox:Observable idref="mandiant:observable-573c0cf0-0415-4a15-be60-e8748c4d3a9d"/> <cybox:Observable idref="mandiant:observable-28294f17-ac3d-43c6-a2f4-af2242512ab9"/> <cybox:Observable idref="mandiant:observable-8cffa685-5e94-4db6-9f01-e29c91a8ceea"/> <cybox:Observable idref="mandiant:observable-8bdc3c7b-91ca-407f-ba57-cf2f2a947f11"/> <cybox:Observable idref="mandiant:observable-818e26cb-6b0e-405c-ad4c-b01ec519959d"/> <cybox:Observable idref="mandiant:observable-c1f647d8-b328-430a-8abf-922f8c4b949b"/> <cybox:Observable idref="mandiant:observable-9f31630c-cabb-4064-847e-2234ae0d7949"/> <cybox:Observable idref="mandiant:observable-df6ab0ea-8768-4fab-9f72-c43aba2f85e4"/> <cybox:Observable idref="mandiant:observable-9d8448b5-0a94-48d2-b2ca-b7702c943c34"/> <cybox:Observable idref="mandiant:observable-37852a61-6c44-4f93-9796-123a8dbd500f"/> <cybox:Observable idref="mandiant:observable-cf16c3fa-9747-4d0b-9fc4-c9a49d1016f7"/> <cybox:Observable idref="mandiant:observable-0c6a173d-ea35-4f92-9f27-1034939980b9"/> <cybox:Observable idref="mandiant:observable-d3dc32ba-43aa-4bb0-83bf-d67f4e284d2e"/> <cybox:Observable idref="mandiant:observable-b9b71deb-63ec-4fe1-9719-01d68ac49b67"/> <cybox:Observable idref="mandiant:observable-01bd0ef0-f08b-455d-a2f5-e5685f497714"/> <cybox:Observable idref="mandiant:observable-e1347131-a9ca-468b-abd1-f70b5be73934"/> <cybox:Observable idref="mandiant:observable-c583ed8b-3f7f-4417-8fe5-e9c8905431b7"/> <cybox:Observable idref="mandiant:observable-16ac7750-b557-46ef-8b71-0659ac8fb744"/> <cybox:Observable id="mandiant:observable-906f3cb4-3fb2-471b-a20e-86932bb6158a"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-89fb679b-d4b5-4cd8-a0e2-176ff7a84a73"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-e555a82f-e64e-4c77-abee-a4e5af8e4420"/> <cybox:Observable idref="mandiant:observable-fe35529d-ef3f-4171-96fb-b89c267c2265"/> <cybox:Observable idref="mandiant:observable-6cc894f0-59eb-4261-a36f-3d8c3503d7f4"/> <cybox:Observable idref="mandiant:observable-5431c2b6-2fc8-467d-833b-130e516cbb72"/> <cybox:Observable idref="mandiant:observable-41c7218a-0cc4-499e-8220-67226ef81c74"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-9e5da1f3-0b8b-4334-8923-3be03c116dbc"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2c87b5c8-7ec0-46ab-bd3e-a5a27e90d0a4"/> <cybox:Observable idref="mandiant:observable-9f644994-4ffa-428f-9426-f21a43cb53c1"/> <cybox:Observable idref="mandiant:observable-50ec3594-e369-4340-84b7-d6d6cbf3d309"/> <cybox:Observable idref="mandiant:observable-90b0b02d-dddb-4ecd-9796-fa1a0bbd02e5"/> <cybox:Observable idref="mandiant:observable-d750031d-877d-4903-b572-c981ee8d9236"/> <cybox:Observable idref="mandiant:observable-c848740b-66c8-4d00-acc1-56782827b10b"/> <cybox:Observable idref="mandiant:observable-a067de4a-e6a5-4b5b-bf6d-bc198f959d80"/> <cybox:Observable idref="mandiant:observable-84967cfa-69f0-4254-badc-d46cb79d26c7"/> <cybox:Observable idref="mandiant:observable-45db05bb-bd41-4b2d-bce2-6c2b94b122ef"/> <cybox:Observable idref="mandiant:observable-6bce7a55-8e95-42a7-8326-05a5feb51596"/> <cybox:Observable idref="mandiant:observable-594eb497-0179-4537-a7d4-80aa81a2a325"/> <cybox:Observable idref="mandiant:observable-a1861df1-3590-4223-bf8e-afe46ae48443"/> <cybox:Observable idref="mandiant:observable-2af57e8f-65c6-4232-b493-1fb574b9002d"/> <cybox:Observable idref="mandiant:observable-030de379-8e8b-468d-a583-97eeea361cb0"/> <cybox:Observable idref="mandiant:observable-c68e647f-a929-48e6-be04-739add3afd99"/> <cybox:Observable idref="mandiant:observable-f2bd1ae3-9d40-4aed-af3d-78777cef13ce"/> <cybox:Observable idref="mandiant:observable-308efb8e-caa5-4aed-8c45-fc2014e85abd"/> <cybox:Observable idref="mandiant:observable-1cd3ca84-a53e-46d3-84f3-157f7ceb9b51"/> <cybox:Observable idref="mandiant:observable-a8c77ad1-e5a2-4638-9f49-12cf1fe315a5"/> <cybox:Observable idref="mandiant:observable-c0f84e9c-385a-4940-8ba3-b6ce2dca710c"/> <cybox:Observable idref="mandiant:observable-81289d03-211b-4471-b4d3-bad06a7aa5eb"/> <cybox:Observable idref="mandiant:observable-f17f8d35-de32-4874-8452-5050ea2a533c"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-3b116e76-8434-4d7e-a61b-5e8cf4f8bc88"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-041f007d-9af7-48ff-8baf-6c2464a1f9e8"/> <cybox:Observable idref="mandiant:observable-3d9f38cd-0bc8-4e9c-b5a8-6cd2a06f1458"/> <cybox:Observable idref="mandiant:observable-c1194515-f997-451d-8930-36beb247ffcb"/> <cybox:Observable idref="mandiant:observable-24e54cce-c4b1-429a-94bb-d72684763026"/> <cybox:Observable idref="mandiant:observable-763a8925-3c15-46da-9d0a-8b0b12004680"/> <cybox:Observable idref="mandiant:observable-d6e4fa65-cc60-4eeb-aabf-0b2d2aa829e2"/> <cybox:Observable idref="mandiant:observable-0c42625e-283f-47a2-9851-bd45f01c5e5b"/> <cybox:Observable idref="mandiant:observable-4f16b9c2-b44e-4d78-aee6-8547d0f32d62"/> <cybox:Observable idref="mandiant:observable-7f97f56f-d574-4fb3-a134-275f2381cb31"/> <cybox:Observable idref="mandiant:observable-a8ea5b89-fc57-41ab-aff9-4a535132cec9"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="eb91abad-afe0-4bd6-80f2-850d14a99308" last-modified="2013-02-10T13:00:00"> <short_description>GOGGLES (FAMILY)</short_description> <description>A family of downloader malware, that retrieves an encoded payload from a fixed location, usually in the form of a file with the .jpg extension. Some variants have just an .exe that acts as a downloader, others have an .exe launcher that runs as a service and then loads an associated .dll of the same name that acts as the downloader. This IOC is targeted at the downloaders only. After downloading the file, the malware decodes the downloaded payload into an .exe file and launches it. The malware usually stages the files it uses in the %TEMP% directory or the %WINDIR%\Temp directory.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="family">GOGGLES</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="category">Downloader</link> </links> <definition> <Indicator operator="OR" id="8a57160c-53f6-4782-9c2f-d4b54c3e4201"> <IndicatorItem id="6bf6aeb9-eb33-4691-b18b-936aa4a975fa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3abe9c84fc13d0a82c1c3e0dced5825d</Content> </IndicatorItem> <IndicatorItem id="a897fe63-2220-4610-8fff-9c2b9e753633" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4111fbc14558385c10091543c439264a</Content> </IndicatorItem> <IndicatorItem id="79d95774-eb93-4cb6-8395-59e255966c57" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bf80dbf969b73790253f683cd723fd71</Content> </IndicatorItem> <IndicatorItem id="bf0af872-a1d0-4b31-b8e8-76e092dd2ca7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">09d372e4259980ac95fdadf1846578d9</Content> </IndicatorItem> <IndicatorItem id="c8f401fa-9e65-48ba-bc69-ed4ae8504c3a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f67357d9fa1c3014050f2feefd39c784</Content> </IndicatorItem> <IndicatorItem id="9b4f8d5c-0177-4ce5-9d7b-bd7a1f8a8d78" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">8c9871a9eb88ffc43507f988b222dc52</Content> </IndicatorItem> <IndicatorItem id="737eed55-4f2e-4f32-b572-9f55a1b62ef6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bce4b77a4e4acc70a3f6f52ec0a2f033</Content> </IndicatorItem> <IndicatorItem id="8c6ee6bc-06df-4a4c-b7da-2a57dc2b16f6" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ea47431d832faff7802710dae0abb0d3</Content> </IndicatorItem> <IndicatorItem id="efd06593-64ae-4d88-b977-3cd5ecbbea32" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">874bb818208655b59a8c4c1ae2aef379</Content> </IndicatorItem> <IndicatorItem id="573c0cf0-0415-4a15-be60-e8748c4d3a9d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">24fefb8b9338e2300308260be19bbaab</Content> </IndicatorItem> <IndicatorItem id="28294f17-ac3d-43c6-a2f4-af2242512ab9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">15137b710414e4e8508ac5ab27e2cbaa</Content> </IndicatorItem> <IndicatorItem id="8cffa685-5e94-4db6-9f01-e29c91a8ceea" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">150c95865766c2dd0562e7bedb6db104</Content> </IndicatorItem> <IndicatorItem id="8bdc3c7b-91ca-407f-ba57-cf2f2a947f11" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">5a3abb8053c271c58e879b3b9cf8c8f5</Content> </IndicatorItem> <IndicatorItem id="818e26cb-6b0e-405c-ad4c-b01ec519959d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">bcb087f69792b69494a3edad51a842bb</Content> </IndicatorItem> <IndicatorItem id="c1f647d8-b328-430a-8abf-922f8c4b949b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">32c32e936cffa8ab370c7f3f2dd43d65</Content> </IndicatorItem> <IndicatorItem id="9f31630c-cabb-4064-847e-2234ae0d7949" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">51326bf40da5a5357a143dd9a6e6a11c</Content> </IndicatorItem> <IndicatorItem id="df6ab0ea-8768-4fab-9f72-c43aba2f85e4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ecf18654e4a2668fb8b2e3db144809af</Content> </IndicatorItem> <IndicatorItem id="9d8448b5-0a94-48d2-b2ca-b7702c943c34" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f445b22897a27ac5852ee19589bea8c2</Content> </IndicatorItem> <IndicatorItem id="37852a61-6c44-4f93-9796-123a8dbd500f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dd1222f96024ac28179c7508e4193285</Content> </IndicatorItem> <IndicatorItem id="cf16c3fa-9747-4d0b-9fc4-c9a49d1016f7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6767eeb485232436de9553988765fb89</Content> </IndicatorItem> <IndicatorItem id="0c6a173d-ea35-4f92-9f27-1034939980b9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3f243b304358041fb163007e0c066d4a</Content> </IndicatorItem> <IndicatorItem id="d3dc32ba-43aa-4bb0-83bf-d67f4e284d2e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e64d657ce32118b415fa91dc05037c4c</Content> </IndicatorItem> <IndicatorItem id="b9b71deb-63ec-4fe1-9719-01d68ac49b67" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">db50416d9e67f4982e89e0ffb0ade6f3</Content> </IndicatorItem> <IndicatorItem id="01bd0ef0-f08b-455d-a2f5-e5685f497714" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a5b581c0600815b1112ca2fed578928b</Content> </IndicatorItem> <IndicatorItem id="e1347131-a9ca-468b-abd1-f70b5be73934" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">57f98d16ac439a11012860f88db21831</Content> </IndicatorItem> <IndicatorItem id="c583ed8b-3f7f-4417-8fe5-e9c8905431b7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4f65bc571cdd9c9cd11e771e1db35a4c</Content> </IndicatorItem> <IndicatorItem id="16ac7750-b557-46ef-8b71-0659ac8fb744" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">876ee736ebad6917a259456fc3a2f11b</Content> </IndicatorItem> <IndicatorItem id="5c35bd6a-9839-4e23-a0e0-98159eceda9a" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/Gallery/Winterfest/2.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="3ae0fc63-253f-4b42-a4cb-e8cffc204c1f" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/Editor/assets/flower_yellow.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="5d84d5f7-b67e-47af-8f8d-432faa1ef3c5" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/festival/Thanksgiving.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="f12770da-fc83-4a66-a0f3-818a7961ad6c" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/em/a1.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="81928032-2f41-4b5b-a923-4d41a4077925" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/ms/a2.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="0802526a-9495-41d9-abbf-0e522349faba" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/sll/monica.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="7c15c51f-bf9d-455d-96f7-4e47639e974b" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/images/canemasters.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="e305ccc1-40a6-494c-bee0-8c363c70dadd" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/images/newsbar.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="c4e72982-215e-4c98-bfa5-8c024b0e9b02" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/IMG/nblogo2.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="43a2e39a-7868-4730-aabe-fba543606b44" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/srilk/dota.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="17a573bf-7df1-4f51-a1e3-eee25fe90d1c" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/srilk/TomAndJerry.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="165c84eb-5ce9-4279-9160-75fbdc76d68d" condition="contains"> <Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir"/> <Content type="string">/images/colt_defense.jpg</Content> <Comment>a record of payload retrieval that may be left on the host by some variants. Note in some cases these could tend towards heavy false positives.</Comment> </IndicatorItem> <IndicatorItem id="794a79e2-a955-47bb-96cf-e8157b36a70e" condition="is"> <Context document="FileItem" search="FileItem/StringList/string" type="mir"/> <Content type="string">thequickbrownfxjmpsvalzydg</Content> <Comment>unique encoding string found in this family and other types of APT1 malware</Comment> </IndicatorItem> <Indicator operator="AND" id="906f3cb4-3fb2-471b-a20e-86932bb6158a"> <Indicator operator="OR" id="89fb679b-d4b5-4cd8-a0e2-176ff7a84a73"> <IndicatorItem id="e555a82f-e64e-4c77-abee-a4e5af8e4420" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">10240</Content> </IndicatorItem> <IndicatorItem id="fe35529d-ef3f-4171-96fb-b89c267c2265" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">10752</Content> </IndicatorItem> <IndicatorItem id="6cc894f0-59eb-4261-a36f-3d8c3503d7f4" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">11264</Content> </IndicatorItem> <IndicatorItem id="5431c2b6-2fc8-467d-833b-130e516cbb72" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">8704</Content> </IndicatorItem> <IndicatorItem id="41c7218a-0cc4-499e-8220-67226ef81c74" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">9216</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="9e5da1f3-0b8b-4334-8923-3be03c116dbc"> <IndicatorItem id="2c87b5c8-7ec0-46ab-bd3e-a5a27e90d0a4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-04-10T01:36:41Z</Content> </IndicatorItem> <IndicatorItem id="9f644994-4ffa-428f-9426-f21a43cb53c1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-16T15:04:29Z</Content> </IndicatorItem> <IndicatorItem id="50ec3594-e369-4340-84b7-d6d6cbf3d309" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2009-07-16T15:18:07Z</Content> </IndicatorItem> <IndicatorItem id="90b0b02d-dddb-4ecd-9796-fa1a0bbd02e5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-08-11T09:14:46Z</Content> </IndicatorItem> <IndicatorItem id="d750031d-877d-4903-b572-c981ee8d9236" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-08-11T09:15:53Z</Content> </IndicatorItem> <IndicatorItem id="c848740b-66c8-4d00-acc1-56782827b10b" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-20T15:30:36Z</Content> </IndicatorItem> <IndicatorItem id="a067de4a-e6a5-4b5b-bf6d-bc198f959d80" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-02T15:12:30Z</Content> </IndicatorItem> <IndicatorItem id="84967cfa-69f0-4254-badc-d46cb79d26c7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-02T15:41:38Z</Content> </IndicatorItem> <IndicatorItem id="45db05bb-bd41-4b2d-bce2-6c2b94b122ef" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-03T13:41:14Z</Content> </IndicatorItem> <IndicatorItem id="6bce7a55-8e95-42a7-8326-05a5feb51596" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-08T02:36:50Z</Content> </IndicatorItem> <IndicatorItem id="594eb497-0179-4537-a7d4-80aa81a2a325" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-03-25T09:36:00Z</Content> </IndicatorItem> <IndicatorItem id="a1861df1-3590-4223-bf8e-afe46ae48443" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-04-28T01:22:03Z</Content> </IndicatorItem> <IndicatorItem id="2af57e8f-65c6-4232-b493-1fb574b9002d" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-07T11:34:16Z</Content> </IndicatorItem> <IndicatorItem id="030de379-8e8b-468d-a583-97eeea361cb0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-10T19:45:58Z</Content> </IndicatorItem> <IndicatorItem id="c68e647f-a929-48e6-be04-739add3afd99" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-13T09:23:00Z</Content> </IndicatorItem> <IndicatorItem id="f2bd1ae3-9d40-4aed-af3d-78777cef13ce" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-10-13T09:37:53Z</Content> </IndicatorItem> <IndicatorItem id="308efb8e-caa5-4aed-8c45-fc2014e85abd" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-11-10T08:46:09Z</Content> </IndicatorItem> <IndicatorItem id="1cd3ca84-a53e-46d3-84f3-157f7ceb9b51" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-12-01T13:50:47Z</Content> </IndicatorItem> <IndicatorItem id="a8c77ad1-e5a2-4638-9f49-12cf1fe315a5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-02-13T15:54:19Z</Content> </IndicatorItem> <IndicatorItem id="c0f84e9c-385a-4940-8ba3-b6ce2dca710c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-02-16T08:22:06Z</Content> </IndicatorItem> <IndicatorItem id="81289d03-211b-4471-b4d3-bad06a7aa5eb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-05-30T14:51:25Z</Content> </IndicatorItem> <IndicatorItem id="f17f8d35-de32-4874-8452-5050ea2a533c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2012-07-26T14:55:59Z</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="3b116e76-8434-4d7e-a61b-5e8cf4f8bc88"> <IndicatorItem id="041f007d-9af7-48ff-8baf-6c2464a1f9e8" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">avguard.dll</Content> </IndicatorItem> <IndicatorItem id="3d9f38cd-0bc8-4e9c-b5a8-6cd2a06f1458" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">dlserver.exe</Content> </IndicatorItem> <IndicatorItem id="c1194515-f997-451d-8930-36beb247ffcb" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">WinInstall.exe</Content> </IndicatorItem> <IndicatorItem id="24e54cce-c4b1-429a-94bb-d72684763026" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">InfMon.dll</Content> </IndicatorItem> <IndicatorItem id="763a8925-3c15-46da-9d0a-8b0b12004680" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">vsserv.dll</Content> </IndicatorItem> <IndicatorItem id="d6e4fa65-cc60-4eeb-aabf-0b2d2aa829e2" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">dlservers.exe</Content> </IndicatorItem> <IndicatorItem id="0c42625e-283f-47a2-9851-bd45f01c5e5b" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svehost.exe</Content> </IndicatorItem> <IndicatorItem id="4f16b9c2-b44e-4d78-aee6-8547d0f32d62" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">wininstaller.exe</Content> </IndicatorItem> <IndicatorItem id="7f97f56f-d574-4fb3-a134-275f2381cb31" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">msiexec.exe</Content> </IndicatorItem> <IndicatorItem id="a8ea5b89-fc57-41ab-aff9-4a535132cec9" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-2656e928-dd0f-49a5-b0d6-13c9a854a628"> <indicator:Title>WEBC2-TOCK (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Downloader</indicator:Type> <indicator:Description> The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TOCK variant looks for tags which include the name of the system in them as a parameter. If those tags are formed correctly, the malware will decode the payload URL from the web page, then download and execute the payload. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-5a9ed4ef-9a0c-4f4c-9cf9-65d33cd59edb"/> <cybox:Observable idref="mandiant:observable-54c44e19-a195-43e7-ad01-e350d387e888"/> <cybox:Observable idref="mandiant:observable-e034777e-1d07-474e-a825-02459fecbbe0"/> <cybox:Observable id="mandiant:observable-6ee52537-039d-4b4f-b009-2e43387626d6"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-44d5b6fc-75f4-49b0-bf74-c964521cd5c0"/> <cybox:Observable id="mandiant:observable-91da7198-15a4-4168-983d-e499011ab657"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-ffae0e73-4f45-4062-ba4b-7628f901fa0e"/> <cybox:Observable idref="mandiant:observable-84a9a67d-e641-4edf-854f-3ed7bd151946"/> <cybox:Observable idref="mandiant:observable-76a83e3b-2c81-4c68-ba94-bf557a3ba43e"/> <cybox:Observable idref="mandiant:observable-82ebe9c0-4701-40e8-bc59-31f1af3c7042"/> <cybox:Observable idref="mandiant:observable-0383f494-e75e-4b22-8d94-46467712964b"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-51c71982-8ad8-41fa-a932-548d1f813a9a"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-a30394c7-d1bd-4c15-b949-110b6a005d6c"/> <cybox:Observable id="mandiant:observable-81f4acd8-0238-41ca-b46d-a1e86e06764f"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-5c1519e1-904c-4367-b316-6776eb3cfb0d"/> <cybox:Observable idref="mandiant:observable-3360f8d9-3215-41ea-8958-d1f0cab55f73"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-e600f212-0a17-4e5a-91d9-5b6d5510ccca"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-a19db190-8116-4885-a2e7-9fdc2006aee0"/> <cybox:Observable id="mandiant:observable-6772d603-297f-4ba6-9b5d-983d1c1a87cb"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-69fd5c62-9662-4217-8840-0f0068192e18"/> <cybox:Observable idref="mandiant:observable-daf83b4a-467e-4e4b-8d4d-d1945e90c3e7"/> <cybox:Observable idref="mandiant:observable-c4f006d9-277d-44eb-b4c6-8b8158682695"/> <cybox:Observable idref="mandiant:observable-989b3f80-92c4-441b-9e5f-99888b12cac5"/> <cybox:Observable id="mandiant:observable-ebed60ad-7ad0-4dbd-a5a2-d8958d7739c6"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-1ca51c49-fa3a-42c6-80f4-b786c0d9e82c"/> <cybox:Observable idref="mandiant:observable-953dd2ea-5a2c-40c3-b70e-ccd4b2126efc"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="ece1846e-98d3-4ddc-a520-0dcda4866989" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-TOCK (FAMILY)</short_description> <description>The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TOCK variant looks for tags which include the name of the system in them as a parameter. If those tags are formed correctly, the malware will decode the payload URL from the web page, then download and execute the payload.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Downloader</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">WEBC2-TOCK</link> </links> <definition> <Indicator operator="OR" id="2656e928-dd0f-49a5-b0d6-13c9a854a628"> <IndicatorItem id="5a9ed4ef-9a0c-4f4c-9cf9-65d33cd59edb" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dbdd2a9c86e71ba0c9953ff4f89cc25b</Content> </IndicatorItem> <IndicatorItem id="54c44e19-a195-43e7-ad01-e350d387e888" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">67f62f5accfeacf5e828c3b3905248fe</Content> </IndicatorItem> <IndicatorItem id="e034777e-1d07-474e-a825-02459fecbbe0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/Exports/DllName" type="mir"/> <Content type="string">comhtml.DLL</Content> </IndicatorItem> <Indicator operator="AND" id="6ee52537-039d-4b4f-b009-2e43387626d6"> <IndicatorItem id="44d5b6fc-75f4-49b0-bf74-c964521cd5c0" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">{1A7882DB-B89E-4406-AF8A-42C3DBD11B2C}</Content> </IndicatorItem> <Indicator operator="OR" id="91da7198-15a4-4168-983d-e499011ab657"> <IndicatorItem id="ffae0e73-4f45-4062-ba4b-7628f901fa0e" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">mshtml Class</Content> </IndicatorItem> <IndicatorItem id="84a9a67d-e641-4edf-854f-3ed7bd151946" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">Comhtml.mshtml.1</Content> </IndicatorItem> <IndicatorItem id="76a83e3b-2c81-4c68-ba94-bf557a3ba43e" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">Apartment</Content> </IndicatorItem> <IndicatorItem id="82ebe9c0-4701-40e8-bc59-31f1af3c7042" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">ntoc.dll</Content> </IndicatorItem> <IndicatorItem id="0383f494-e75e-4b22-8d94-46467712964b" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">{B02DAAF7-C679-4D00-9805-BE94D23B3B99}</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="51c71982-8ad8-41fa-a932-548d1f813a9a"> <IndicatorItem id="a30394c7-d1bd-4c15-b949-110b6a005d6c" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">{B02DAAF7-C679-4D00-9805-BE94D23B3B99}</Content> </IndicatorItem> <Indicator operator="OR" id="81f4acd8-0238-41ca-b46d-a1e86e06764f"> <IndicatorItem id="5c1519e1-904c-4367-b316-6776eb3cfb0d" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">comhtml 1.0 Type Library</Content> </IndicatorItem> <IndicatorItem id="3360f8d9-3215-41ea-8958-d1f0cab55f73" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">ntoc.dll</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="e600f212-0a17-4e5a-91d9-5b6d5510ccca"> <IndicatorItem id="a19db190-8116-4885-a2e7-9fdc2006aee0" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ntoc.dll</Content> </IndicatorItem> <Indicator operator="OR" id="6772d603-297f-4ba6-9b5d-983d1c1a87cb"> <IndicatorItem id="69fd5c62-9662-4217-8840-0f0068192e18" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/Exports/ExportedFunctions/string" type="mir"/> <Content type="string">DllRegisterServer</Content> </IndicatorItem> <IndicatorItem id="daf83b4a-467e-4e4b-8d4d-d1945e90c3e7" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <IndicatorItem id="c4f006d9-277d-44eb-b4c6-8b8158682695" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">32768</Content> </IndicatorItem> <IndicatorItem id="989b3f80-92c4-441b-9e5f-99888b12cac5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-05-06T13:11:39Z</Content> </IndicatorItem> <Indicator operator="AND" id="ebed60ad-7ad0-4dbd-a5a2-d8958d7739c6"> <IndicatorItem id="1ca51c49-fa3a-42c6-80f4-b786c0d9e82c" condition="contains"> <Context document="FileItem" search="FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Language" type="mir"/> <Content type="string">Chinese (Simplified, PRC)</Content> </IndicatorItem> <IndicatorItem id="953dd2ea-5a2c-40c3-b70e-ccd4b2126efc" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/Language" type="mir"/> <Content type="string">English (United States)</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-3c18ada4-2f65-46e8-b5cc-80b9d47f4e5c"> <indicator:Title>WEBC2-YAHOO (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Downloader</indicator:Type> <indicator:Description> The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-YAHOO variant enters a loop where every ten minutes it attempts to download a web page that may contain an encoded URL. The encoded URL will be found in the pages returned inside an attribute named 'sb' or 'ex' within a tag named 'yahoo'. The embedded link can direct the malware to download and execute files. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-6fcb85fd-f1cf-4b75-b1ec-cee9cff7a792"/> <cybox:Observable idref="mandiant:observable-f185110e-4fbd-4782-98ff-5db97ca802ef"/> <cybox:Observable idref="mandiant:observable-8c90a6f4-c13c-4cf6-a3ae-15c04a960b0d"/> <cybox:Observable idref="mandiant:observable-28cae9e0-e6ae-440d-a833-fce9fed91746"/> <cybox:Observable idref="mandiant:observable-52267a68-5ad0-4132-b3c6-c86a69842df5"/> <cybox:Observable idref="mandiant:observable-1706748c-acbc-4db3-b243-83f705616a57"/> <cybox:Observable idref="mandiant:observable-453c4b44-a1fa-44d5-8655-0bbbea9d8532"/> <cybox:Observable idref="mandiant:observable-1eecde36-9399-4bd6-ba13-b414af30bc08"/> <cybox:Observable idref="mandiant:observable-6fc7ea0c-b56e-4fca-8297-3af38ddf23af"/> <cybox:Observable idref="mandiant:observable-25a88fc6-025c-47ce-b1c3-7eb475ed787f"/> <cybox:Observable idref="mandiant:observable-5d38842f-2585-4c0f-a25d-551dc5cc77d8"/> <cybox:Observable idref="mandiant:observable-84b40839-003e-4a6e-ad8e-1df258ea07b2"/> <cybox:Observable idref="mandiant:observable-7ddafb71-345c-4df5-85c3-9cb5087feba4"/> <cybox:Observable idref="mandiant:observable-2c9f0b9d-0042-4c9d-b093-c8c239870fe3"/> <cybox:Observable idref="mandiant:observable-58649176-0ca4-4d1a-9e6a-1236dbc77ac7"/> <cybox:Observable idref="mandiant:observable-76a80ad2-29dd-47cb-b279-1f24cf7027ac"/> <cybox:Observable idref="mandiant:observable-bcfb0f4d-a535-4e09-bc70-3c4cec5c4357"/> <cybox:Observable idref="mandiant:observable-ea217e94-0489-43c2-9460-792cf8fa7969"/> <cybox:Observable idref="mandiant:observable-3c1a10a3-9c3d-4226-bb7e-28a796fac92a"/> <cybox:Observable idref="mandiant:observable-f14f51a2-bdde-4474-9c5d-1e91c4e9c739"/> <cybox:Observable idref="mandiant:observable-85608e62-7b42-47cb-be04-ee818a567f21"/> <cybox:Observable idref="mandiant:observable-c71a44e2-805b-4e1e-b140-6ccfb1ba2752"/> <cybox:Observable idref="mandiant:observable-d08526ca-4936-477f-9670-c8bb4834c802"/> <cybox:Observable idref="mandiant:observable-6eb7f59e-c5aa-4fb0-b713-3ad934970c15"/> <cybox:Observable idref="mandiant:observable-4472370d-a4e0-4d5b-a9b4-7a2226c71656"/> <cybox:Observable idref="mandiant:observable-22d4a359-6d97-4c87-9e86-79d7f2822d6b"/> <cybox:Observable idref="mandiant:observable-9b54acc9-b2d4-42d8-bca6-229f2807d3ac"/> <cybox:Observable idref="mandiant:observable-efc5573e-b345-4491-a476-e5e3df158047"/> <cybox:Observable idref="mandiant:observable-ad80f7dd-1654-4c54-acfd-cf44fdba5874"/> <cybox:Observable idref="mandiant:observable-854fc56a-070c-4eef-b120-8b13b0430a46"/> <cybox:Observable idref="mandiant:observable-6cf40586-66b7-436c-9b78-1de376bda409"/> <cybox:Observable idref="mandiant:observable-7006d4db-b299-4253-89a0-ebd50503f989"/> <cybox:Observable idref="mandiant:observable-399b4560-097d-4c5f-9dd4-eb56ccfc4a39"/> <cybox:Observable idref="mandiant:observable-56f85a10-c969-4d69-8eb1-8f6265acf0a4"/> <cybox:Observable idref="mandiant:observable-22d0a76b-ca28-4108-ae4c-ba4c99441cde"/> <cybox:Observable idref="mandiant:observable-3babb67f-61cf-46f8-95be-9e9711bf049c"/> <cybox:Observable idref="mandiant:observable-7586834c-89b6-4b4d-bea8-f424bccd1536"/> <cybox:Observable idref="mandiant:observable-b76299cf-3094-4635-9f63-0f4e438ac6ca"/> <cybox:Observable idref="mandiant:observable-4d639056-7dcb-4e3a-b57e-b12f530b3e35"/> <cybox:Observable idref="mandiant:observable-3678d8ef-ace4-456a-93dd-41bc7b51dc0e"/> <cybox:Observable idref="mandiant:observable-860f4933-1b3b-4017-a594-df1717a16173"/> <cybox:Observable idref="mandiant:observable-6fff1113-d530-4445-a1e4-30108cac885b"/> <cybox:Observable idref="mandiant:observable-4ceb5bc2-bcb9-4d58-af98-c62107b8e52d"/> <cybox:Observable idref="mandiant:observable-8eda7dde-6882-4040-a236-403f857478fa"/> <cybox:Observable idref="mandiant:observable-1fbed0af-8e0d-43c3-8046-634a9b0b7973"/> <cybox:Observable idref="mandiant:observable-505d95fe-dab7-4184-b177-ed684e30f735"/> <cybox:Observable idref="mandiant:observable-703567b4-8492-4881-9ac0-406d820a1c02"/> <cybox:Observable idref="mandiant:observable-b3cfa046-8468-4160-9ec6-fd50a6696fe9"/> <cybox:Observable idref="mandiant:observable-8368e0af-177d-4c10-acf8-1b112707b0ea"/> <cybox:Observable idref="mandiant:observable-e8111648-69af-4631-850d-48a9ed04e830"/> <cybox:Observable idref="mandiant:observable-dbd562e7-1687-4d02-a4aa-18bbd8131073"/> <cybox:Observable idref="mandiant:observable-3ffe2f58-0162-42ca-bbb2-84c96f79a429"/> <cybox:Observable idref="mandiant:observable-57b9e593-0bfb-4a89-b414-75aaa578d698"/> <cybox:Observable idref="mandiant:observable-56140567-5ddf-429e-9ad3-3c41355b9c4a"/> <cybox:Observable idref="mandiant:observable-7a74e6c8-7375-48c0-949f-95572a78be54"/> <cybox:Observable idref="mandiant:observable-940b86bf-1668-46f7-830d-4be71196add5"/> <cybox:Observable idref="mandiant:observable-37e017df-49b2-47e1-9825-85bdf573b9ef"/> <cybox:Observable idref="mandiant:observable-7eacea1c-283f-4ce8-9b05-e52a41760159"/> <cybox:Observable idref="mandiant:observable-d52ca222-ddd8-4818-babd-469136767128"/> <cybox:Observable idref="mandiant:observable-2f199249-08c0-4d0c-a48d-92c8f764ad46"/> <cybox:Observable idref="mandiant:observable-ed6711b3-8778-4084-9a2b-931ae5e7babb"/> <cybox:Observable idref="mandiant:observable-17e77965-cbcb-4c7b-97a9-6c361bc294a6"/> <cybox:Observable idref="mandiant:observable-4e0b8b31-0f57-4a23-ae2f-b54a7d04c022"/> <cybox:Observable idref="mandiant:observable-192cc28d-7608-44c0-ab78-ed5b5d718c0f"/> <cybox:Observable id="mandiant:observable-aa27ca5e-3745-46b3-9ce9-eb8ef327ea62"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-91a7f815-ecc2-480d-b4cf-5a00d4669a58"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-d600f291-d6b9-417b-be7f-bb65f374094d"/> <cybox:Observable idref="mandiant:observable-fc91876c-c18d-4711-bcef-c828f18c9356"/> <cybox:Observable idref="mandiant:observable-5db34463-cd8e-4783-acb3-92783eaadd23"/> <cybox:Observable idref="mandiant:observable-30508b35-dadd-46fe-9701-f6dbdba2bef8"/> <cybox:Observable idref="mandiant:observable-1428e3b4-01d2-4756-99db-2b33f57e5c50"/> <cybox:Observable idref="mandiant:observable-b96748f1-ef0f-43cf-9811-018493c1f1f8"/> <cybox:Observable idref="mandiant:observable-5eec859d-42d7-4a84-bff1-1d09c8e9835e"/> <cybox:Observable idref="mandiant:observable-6470699e-2fc6-46bb-80a1-dc579302ec36"/> <cybox:Observable idref="mandiant:observable-7ecb7460-915c-4c47-b33b-9e5a22a2784c"/> <cybox:Observable idref="mandiant:observable-b69fe666-d750-4162-ad59-05a575ddb028"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-045e2c19-5825-4268-bcf3-0bda24e0d4df"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-a016ff4b-41f8-4fb9-85fe-2f322de4f84f"/> <cybox:Observable idref="mandiant:observable-e4bc1c3d-5031-4dea-a1d8-f6a8180852ab"/> <cybox:Observable idref="mandiant:observable-7a68303d-0c6e-4604-a48d-b74478e26051"/> <cybox:Observable idref="mandiant:observable-1ec89d4c-13f3-4c8d-9c8c-487b9f4434f3"/> <cybox:Observable idref="mandiant:observable-ea54de4e-3935-4f99-8a4f-d46cead8a42e"/> <cybox:Observable idref="mandiant:observable-3c7fe9c0-b08c-4921-95d3-8fbdb72e0937"/> <cybox:Observable idref="mandiant:observable-881afe9e-dbe5-4af0-9018-7f6c9ec69ea3"/> <cybox:Observable idref="mandiant:observable-1b7920f1-5aef-4124-ac18-769e855f03aa"/> <cybox:Observable idref="mandiant:observable-938c08b4-480f-4868-bdc9-1073ab0039e3"/> <cybox:Observable idref="mandiant:observable-070ba35f-e9ff-4884-b7a7-b34e53604cc4"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-debb5a9b-6d08-49f8-b799-2c0bdba2e771"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-09b8919f-7d83-4df5-bec0-c55ef595e5e4"/> <cybox:Observable idref="mandiant:observable-f050d4d3-c778-4ecc-aebd-81df5953a4c2"/> <cybox:Observable idref="mandiant:observable-d88cae4b-1734-4abb-9aa8-5916bfd5ac38"/> <cybox:Observable idref="mandiant:observable-d513f4f2-3f6b-4978-965a-df25d7161a3c"/> <cybox:Observable idref="mandiant:observable-962c1701-32e1-47f2-a67c-6868c743bfac"/> <cybox:Observable idref="mandiant:observable-4eab86a7-135f-473a-ac63-1a38e2059556"/> <cybox:Observable idref="mandiant:observable-51f6df5f-f37b-4e9a-84e8-6de48e817ba0"/> <cybox:Observable idref="mandiant:observable-37d15923-831f-4a70-b8d1-7966f07d31bd"/> <cybox:Observable idref="mandiant:observable-a082d17d-99f9-41d3-95af-7cae719f1cfa"/> <cybox:Observable idref="mandiant:observable-269a67b1-be1e-4564-b556-986b99da15a1"/> <cybox:Observable idref="mandiant:observable-98b74df6-b79f-4516-a532-0eb9b8b26beb"/> <cybox:Observable idref="mandiant:observable-90b7970a-9f9c-4be2-8335-94a1a44fa515"/> <cybox:Observable idref="mandiant:observable-1d5a0302-e8b1-405a-90a0-bebaa78b7fbf"/> <cybox:Observable idref="mandiant:observable-a42f67d5-b2f5-4225-8a67-38bfba70d472"/> <cybox:Observable idref="mandiant:observable-322dcf62-fb83-434a-969c-6a1e83b1e709"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-aba09b7b-65c4-4410-ac18-91fd1070e408"> <cybox:Observable_Composition operator="AND"> <cybox:Observable id="mandiant:observable-544d4d1f-9116-41d2-b359-b43aeb201d32"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-2eb66a50-21ee-4861-84dd-1cdc2fc388d0"/> <cybox:Observable idref="mandiant:observable-fdaec485-9c85-49c2-b17e-99cb0b0db111"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-c9a94413-28f5-4da6-b3fb-fde02f1b9a1c"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-bbec8b8a-26ef-4d80-9eaf-bb1b75526c59"/> <cybox:Observable id="mandiant:observable-45c324f6-b997-4a16-b481-e085359b9130"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-6ec4f425-663e-48e5-92c8-e0b2a30c3c2b"/> <cybox:Observable idref="mandiant:observable-a176e91c-5b42-47d0-ac83-c799a07dad58"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-2bff7074-1aa9-4584-a6ec-1e6f6195e565"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-a96c8466-c539-480a-9261-e5a6a53e54fa"/> <cybox:Observable idref="mandiant:observable-3ff1c3a8-ec15-4c63-bad7-9a8b710c999f"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <!-- References WEBC2 TTP rather than main APT1 TTP --> <stixCommon:TTP idref="mandiant:ttp-0f01c5a3-f516-4450-9381-4dd9f2279411"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="fabdf553-b3ed-4bc9-9ac6-13d6bd174dad" last-modified="2013-02-10T13:00:00"> <short_description>WEBC2-YAHOO (FAMILY)</short_description> <description>The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-YAHOO variant enters a loop where every ten minutes it attempts to download a web page that may contain an encoded URL. The encoded URL will be found in the pages returned inside an attribute named 'sb' or 'ex' within a tag named 'yahoo'. The embedded link can direct the malware to download and execute files.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Downloader</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">WEBC2-YAHOO</link> </links> <definition> <Indicator operator="OR" id="3c18ada4-2f65-46e8-b5cc-80b9d47f4e5c"> <IndicatorItem id="6fcb85fd-f1cf-4b75-b1ec-cee9cff7a792" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">f7f85d7f628ce62d1d8f7b39d8940472</Content> </IndicatorItem> <IndicatorItem id="f185110e-4fbd-4782-98ff-5db97ca802ef" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">da52e6701c9eba92459c6be28efdba74</Content> </IndicatorItem> <IndicatorItem id="8c90a6f4-c13c-4cf6-a3ae-15c04a960b0d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9dab4da07ed669b44f409eb60f3b0e50</Content> </IndicatorItem> <IndicatorItem id="28cae9e0-e6ae-440d-a833-fce9fed91746" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0149b7bd7218aab4e257d28469fddb0d</Content> </IndicatorItem> <IndicatorItem id="52267a68-5ad0-4132-b3c6-c86a69842df5" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9d75897d9c0a5da7e95082ea5ae1f648</Content> </IndicatorItem> <IndicatorItem id="1706748c-acbc-4db3-b243-83f705616a57" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">496f04719a365f9718919002eff5748b</Content> </IndicatorItem> <IndicatorItem id="453c4b44-a1fa-44d5-8655-0bbbea9d8532" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c2a79bb15a31fd6584d9bf0891673d14</Content> </IndicatorItem> <IndicatorItem id="1eecde36-9399-4bd6-ba13-b414af30bc08" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4e1a92036a577a87a6fa36168d192c4b</Content> </IndicatorItem> <IndicatorItem id="6fc7ea0c-b56e-4fca-8297-3af38ddf23af" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6e9bedcf80f21171adb951a0d85d2adb</Content> </IndicatorItem> <IndicatorItem id="25a88fc6-025c-47ce-b1c3-7eb475ed787f" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">efc2025431e7ec8f8784fe81389c77cf</Content> </IndicatorItem> <IndicatorItem id="5d38842f-2585-4c0f-a25d-551dc5cc77d8" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">37ddd3d72ead03c7518f5d47650c8572</Content> </IndicatorItem> <IndicatorItem id="84b40839-003e-4a6e-ad8e-1df258ea07b2" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">dff4d874b2bfc64a4d1805959c379074</Content> </IndicatorItem> <IndicatorItem id="7ddafb71-345c-4df5-85c3-9cb5087feba4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">70c10f8b4dcd01b07be6cfb4df0d3348</Content> </IndicatorItem> <IndicatorItem id="2c9f0b9d-0042-4c9d-b093-c8c239870fe3" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">cc3a9a7b026bfe0e55ff219fd6aa7d94</Content> </IndicatorItem> <IndicatorItem id="58649176-0ca4-4d1a-9e6a-1236dbc77ac7" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">aa4f1ecc4d25b33395196b5d51a06790</Content> </IndicatorItem> <IndicatorItem id="76a80ad2-29dd-47cb-b279-1f24cf7027ac" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">1415eb8519d13328091cc5c76a624e3d</Content> </IndicatorItem> <IndicatorItem id="bcfb0f4d-a535-4e09-bc70-3c4cec5c4357" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3d573866620eae070a220be89e113f69</Content> </IndicatorItem> <IndicatorItem id="ea217e94-0489-43c2-9460-792cf8fa7969" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2762fb36161086f7ef3f33232aa790dc</Content> </IndicatorItem> <IndicatorItem id="3c1a10a3-9c3d-4226-bb7e-28a796fac92a" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">57cbf78c226265cc1e61ad86779bf906</Content> </IndicatorItem> <IndicatorItem id="f14f51a2-bdde-4474-9c5d-1e91c4e9c739" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">20e2c8c7a98ddd4c16f6e878194c1e78</Content> </IndicatorItem> <IndicatorItem id="85608e62-7b42-47cb-be04-ee818a567f21" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">6040dd5b603483f738be6a02a63538f2</Content> </IndicatorItem> <IndicatorItem id="c71a44e2-805b-4e1e-b140-6ccfb1ba2752" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">abe6ab89f957f6edf8f41b5ad198e5e6</Content> </IndicatorItem> <IndicatorItem id="d08526ca-4936-477f-9670-c8bb4834c802" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3e3e6fe1a8c6ffc00a9c644997a4f7a1</Content> </IndicatorItem> <IndicatorItem id="6eb7f59e-c5aa-4fb0-b713-3ad934970c15" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">4c9c9dbf388a8d81d8cfb4d3fc05f8e4</Content> </IndicatorItem> <IndicatorItem id="4472370d-a4e0-4d5b-a9b4-7a2226c71656" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7a670d13d4d014169c4080328b8feb86</Content> </IndicatorItem> <IndicatorItem id="22d4a359-6d97-4c87-9e86-79d7f2822d6b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">36d5c8fc4b14559f73b6136d85b94198</Content> </IndicatorItem> <IndicatorItem id="9b54acc9-b2d4-42d8-bca6-229f2807d3ac" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e5237615fde0977c0ea3626fba609ab8</Content> </IndicatorItem> <IndicatorItem id="efc5573e-b345-4491-a476-e5e3df158047" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2b659d71ae168e774faaf38db30f4a84</Content> </IndicatorItem> <IndicatorItem id="ad80f7dd-1654-4c54-acfd-cf44fdba5874" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2272791cadf422ce02a117a3a857f84e</Content> </IndicatorItem> <IndicatorItem id="854fc56a-070c-4eef-b120-8b13b0430a46" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a354e3c566645100e757f3e43c9b007d</Content> </IndicatorItem> <IndicatorItem id="6cf40586-66b7-436c-9b78-1de376bda409" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">22aa55134d621672e93c6de928c8b122</Content> </IndicatorItem> <IndicatorItem id="7006d4db-b299-4253-89a0-ebd50503f989" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9d5aabcda9106132d1e1b6cf6cae28aa</Content> </IndicatorItem> <IndicatorItem id="399b4560-097d-4c5f-9dd4-eb56ccfc4a39" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">7f26403f8e59a5f2728af2d3e0efaabb</Content> </IndicatorItem> <IndicatorItem id="56f85a10-c969-4d69-8eb1-8f6265acf0a4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">70e2827ab4af1a38dc09a02fa95b82fe</Content> </IndicatorItem> <IndicatorItem id="22d0a76b-ca28-4108-ae4c-ba4c99441cde" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a8f259bb36e00d124963cfa9b86f502e</Content> </IndicatorItem> <IndicatorItem id="3babb67f-61cf-46f8-95be-9e9711bf049c" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">c9f77569aa98f71cc42644d66d9f371c</Content> </IndicatorItem> <IndicatorItem id="7586834c-89b6-4b4d-bea8-f424bccd1536" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">328c3ebb2fd2e170483e8d51ccc6c505</Content> </IndicatorItem> <IndicatorItem id="b76299cf-3094-4635-9f63-0f4e438ac6ca" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">3de60420845a582b0e44081b1138a7e4</Content> </IndicatorItem> <IndicatorItem id="4d639056-7dcb-4e3a-b57e-b12f530b3e35" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">2a4604fcae876dee445de5ad74fd7835</Content> </IndicatorItem> <IndicatorItem id="3678d8ef-ace4-456a-93dd-41bc7b51dc0e" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">86a906db5686bbf487689937d15bf71a</Content> </IndicatorItem> <IndicatorItem id="860f4933-1b3b-4017-a594-df1717a16173" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">13835f0d5aafbeda50560afc92c8b7b7</Content> </IndicatorItem> <IndicatorItem id="6fff1113-d530-4445-a1e4-30108cac885b" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">63db2f4fd717723f0e6f94e0a6a62c7b</Content> </IndicatorItem> <IndicatorItem id="4ceb5bc2-bcb9-4d58-af98-c62107b8e52d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ec82a53f44511ac09e916bde02cddef0</Content> </IndicatorItem> <IndicatorItem id="8eda7dde-6882-4040-a236-403f857478fa" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">0588ffa0a244a2c4431c5c4faac60b1f</Content> </IndicatorItem> <IndicatorItem id="1fbed0af-8e0d-43c3-8046-634a9b0b7973" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">a8b183fe32ad8d426e20227f3c8b7592</Content> </IndicatorItem> <IndicatorItem id="505d95fe-dab7-4184-b177-ed684e30f735" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">d751c7f7d2eab52c43ab31312e229307</Content> </IndicatorItem> <IndicatorItem id="703567b4-8492-4881-9ac0-406d820a1c02" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">39e28f48c138dc156d1436fd02222e45</Content> </IndicatorItem> <IndicatorItem id="b3cfa046-8468-4160-9ec6-fd50a6696fe9" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">ca68ccc887cfe5d2194f6a4d3101ae66</Content> </IndicatorItem> <IndicatorItem id="8368e0af-177d-4c10-acf8-1b112707b0ea" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">9ad292de00b2175a80b5909fa173cdcd</Content> </IndicatorItem> <IndicatorItem id="e8111648-69af-4631-850d-48a9ed04e830" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">b743f6af7e307221ba425d6023ebe42c</Content> </IndicatorItem> <IndicatorItem id="dbd562e7-1687-4d02-a4aa-18bbd8131073" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir"/> <Content type="string">Adobe Acrobat Document</Content> </IndicatorItem> <IndicatorItem id="3ffe2f58-0162-42ca-bbb2-84c96f79a429" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string"> TXT FILE</Content> </IndicatorItem> <IndicatorItem id="57b9e593-0bfb-4a89-b414-75aaa578d698" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName" type="mir"/> <Content type="string">TXT FILE</Content> </IndicatorItem> <IndicatorItem id="56140567-5ddf-429e-9ad3-3c41355b9c4a" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir"/> <Content type="string">TXT FILE</Content> </IndicatorItem> <IndicatorItem id="7a74e6c8-7375-48c0-949f-95572a78be54" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir"/> <Content type="string">ZRMM2011.exe</Content> </IndicatorItem> <IndicatorItem id="940b86bf-1668-46f7-830d-4be71196add5" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName" type="mir"/> <Content type="string">sbt ZRMM2011</Content> </IndicatorItem> <IndicatorItem id="37e017df-49b2-47e1-9825-85bdf573b9ef" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir"/> <Content type="string">ZRMM2011</Content> </IndicatorItem> <IndicatorItem id="7eacea1c-283f-4ce8-9b05-e52a41760159" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir"/> <Content type="string">ZRMM2011</Content> </IndicatorItem> <IndicatorItem id="d52ca222-ddd8-4818-babd-469136767128" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName" type="mir"/> <Content type="string">sbt</Content> </IndicatorItem> <IndicatorItem id="2f199249-08c0-4d0c-a48d-92c8f764ad46" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\Windows\inetinfo.exe</Content> </IndicatorItem> <IndicatorItem id="ed6711b3-8778-4084-9a2b-931ae5e7babb" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\Windows\fxsst.dll</Content> </IndicatorItem> <IndicatorItem id="17e77965-cbcb-4c7b-97a9-6c361bc294a6" condition="contains"> <Context document="FileItem" search="FileItem/FullPath" type="mir"/> <Content type="string">\Windows\wscntfy.exe</Content> </IndicatorItem> <IndicatorItem id="4e0b8b31-0f57-4a23-ae2f-b54a7d04c022" condition="contains"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">LETUSHAVEAGOODTIME</Content> </IndicatorItem> <IndicatorItem id="192cc28d-7608-44c0-ab78-ed5b5d718c0f" condition="contains"> <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir"/> <Content type="string">HAHAHAHAHAHAH</Content> </IndicatorItem> <Indicator operator="AND" id="aa27ca5e-3745-46b3-9ce9-eb8ef327ea62"> <Indicator operator="OR" id="91a7f815-ecc2-480d-b4cf-5a00d4669a58"> <IndicatorItem id="d600f291-d6b9-417b-be7f-bb65f374094d" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">iexplore.exe</Content> </IndicatorItem> <IndicatorItem id="fc91876c-c18d-4711-bcef-c828f18c9356" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">svchost.exe</Content> </IndicatorItem> <IndicatorItem id="5db34463-cd8e-4783-acb3-92783eaadd23" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">mswab.exe</Content> </IndicatorItem> <IndicatorItem id="30508b35-dadd-46fe-9701-f6dbdba2bef8" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">1.jpeg</Content> </IndicatorItem> <IndicatorItem id="1428e3b4-01d2-4756-99db-2b33f57e5c50" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">buildout.exe</Content> </IndicatorItem> <IndicatorItem id="b96748f1-ef0f-43cf-9811-018493c1f1f8" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">reader_sl.exe</Content> </IndicatorItem> <IndicatorItem id="5eec859d-42d7-4a84-bff1-1d09c8e9835e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">WINWORD.EXE</Content> </IndicatorItem> <IndicatorItem id="6470699e-2fc6-46bb-80a1-dc579302ec36" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">press_releases_doc.doc.exe</Content> </IndicatorItem> <IndicatorItem id="7ecb7460-915c-4c47-b33b-9e5a22a2784c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">contains_eof_data</Content> <Comment>PE Header Anomaly identified in 6% samples.</Comment> </IndicatorItem> <IndicatorItem id="b69fe666-d750-4162-ad59-05a575ddb028" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> </Indicator> <Indicator operator="OR" id="045e2c19-5825-4268-bcf3-0bda24e0d4df"> <IndicatorItem id="a016ff4b-41f8-4fb9-85fe-2f322de4f84f" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">1220608</Content> </IndicatorItem> <IndicatorItem id="e4bc1c3d-5031-4dea-a1d8-f6a8180852ab" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">14336</Content> </IndicatorItem> <IndicatorItem id="7a68303d-0c6e-4604-a48d-b74478e26051" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">14848</Content> </IndicatorItem> <IndicatorItem id="1ec89d4c-13f3-4c8d-9c8c-487b9f4434f3" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">15360</Content> </IndicatorItem> <IndicatorItem id="ea54de4e-3935-4f99-8a4f-d46cead8a42e" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">15872</Content> </IndicatorItem> <IndicatorItem id="3c7fe9c0-b08c-4921-95d3-8fbdb72e0937" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">16896</Content> </IndicatorItem> <IndicatorItem id="881afe9e-dbe5-4af0-9018-7f6c9ec69ea3" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">17408</Content> </IndicatorItem> <IndicatorItem id="1b7920f1-5aef-4124-ac18-769e855f03aa" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">17409</Content> </IndicatorItem> <IndicatorItem id="938c08b4-480f-4868-bdc9-1073ab0039e3" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">2886656</Content> </IndicatorItem> <IndicatorItem id="070ba35f-e9ff-4884-b7a7-b34e53604cc4" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">40448</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="debb5a9b-6d08-49f8-b799-2c0bdba2e771"> <IndicatorItem id="09b8919f-7d83-4df5-bec0-c55ef595e5e4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-08-27T01:55:04Z</Content> </IndicatorItem> <IndicatorItem id="f050d4d3-c778-4ecc-aebd-81df5953a4c2" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-09-28T08:09:41Z</Content> </IndicatorItem> <IndicatorItem id="d88cae4b-1734-4abb-9aa8-5916bfd5ac38" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-05-30T01:30:24Z</Content> </IndicatorItem> <IndicatorItem id="d513f4f2-3f6b-4978-965a-df25d7161a3c" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-05-30T03:27:33Z</Content> </IndicatorItem> <IndicatorItem id="962c1701-32e1-47f2-a67c-6868c743bfac" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-05-30T08:29:29Z</Content> </IndicatorItem> <IndicatorItem id="4eab86a7-135f-473a-ac63-1a38e2059556" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-07-01T08:23:45Z</Content> </IndicatorItem> <IndicatorItem id="51f6df5f-f37b-4e9a-84e8-6de48e817ba0" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-07-29T07:10:31Z</Content> </IndicatorItem> <IndicatorItem id="37d15923-831f-4a70-b8d1-7966f07d31bd" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-09T07:30:17Z</Content> </IndicatorItem> <IndicatorItem id="a082d17d-99f9-41d3-95af-7cae719f1cfa" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-09T08:15:29Z</Content> </IndicatorItem> <IndicatorItem id="269a67b1-be1e-4564-b556-986b99da15a1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-09T08:18:19Z</Content> </IndicatorItem> <IndicatorItem id="98b74df6-b79f-4516-a532-0eb9b8b26beb" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-11T13:15:49Z</Content> </IndicatorItem> <IndicatorItem id="90b7970a-9f9c-4be2-8335-94a1a44fa515" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-15T09:26:15Z</Content> </IndicatorItem> <IndicatorItem id="1d5a0302-e8b1-405a-90a0-bebaa78b7fbf" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-08-19T03:07:37Z</Content> </IndicatorItem> <IndicatorItem id="a42f67d5-b2f5-4225-8a67-38bfba70d472" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-09-16T08:46:55Z</Content> </IndicatorItem> <IndicatorItem id="322dcf62-fb83-434a-969c-6a1e83b1e709" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2011-12-12T13:34:30Z</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="aba09b7b-65c4-4410-ac18-91fd1070e408"> <IndicatorItem id="dedaccf6-93f8-4962-85b7-095d94b4f86d" condition="is"> <Context document="ServiceItem" search="ServiceItem/serviceDLLSignatureVerified" type="mir"/> <Content type="string">false</Content> </IndicatorItem> <Indicator operator="OR" id="544d4d1f-9116-41d2-b359-b43aeb201d32"> <IndicatorItem id="2eb66a50-21ee-4861-84dd-1cdc2fc388d0" condition="is"> <Context document="ServiceItem" search="ServiceItem/name" type="mir"/> <Content type="string">.Net CLR</Content> </IndicatorItem> <IndicatorItem id="f777d267-a5c5-46a4-965c-8c4e761a54f1" condition="is"> <Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir"/> <Content type="string">Microsoft .Net Framework COM+ Support</Content> </IndicatorItem> <IndicatorItem id="fdaec485-9c85-49c2-b17e-99cb0b0db111" condition="is"> <Context document="ServiceItem" search="ServiceItem/description" type="mir"/> <Content type="string">Microsoft .NET and Windows XP COM+ Integration with SOAP</Content> </IndicatorItem> </Indicator> </Indicator> <Indicator operator="AND" id="c9a94413-28f5-4da6-b3fb-fde02f1b9a1c"> <IndicatorItem id="bbec8b8a-26ef-4d80-9eaf-bb1b75526c59" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Path" type="mir"/> <Content type="string">CurrentVersion\Run\</Content> </IndicatorItem> <Indicator operator="OR" id="45c324f6-b997-4a16-b481-e085359b9130"> <IndicatorItem id="6ec4f425-663e-48e5-92c8-e0b2a30c3c2b" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">Users\</Content> </IndicatorItem> <IndicatorItem id="a176e91c-5b42-47d0-ac83-c799a07dad58" condition="contains"> <Context document="RegistryItem" search="RegistryItem/Text" type="mir"/> <Content type="string">Documents and Settings\</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="2bff7074-1aa9-4584-a6ec-1e6f6195e565"> <IndicatorItem id="a96c8466-c539-480a-9261-e5a6a53e54fa" condition="is"> <Context document="RegistryItem" search="RegistryItem/ValueName" type="mir"/> <Content type="string">SysTray</Content> </IndicatorItem> <IndicatorItem id="3ff1c3a8-ec15-4c63-bad7-9a8b710c999f" condition="is"> <Context document="RegistryItem" search="RegistryItem/ValueName" type="mir"/> <Content type="string">systemupdate</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> <stix:Indicator xsi:type="indicator:IndicatorType" timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:indicator-0302df0c-a056-48e2-99d2-7bfd23931cb6"> <indicator:Title>LIGHTDART (FAMILY)</indicator:Title> <indicator:Type vocab_name="Mandiant">Utility</indicator:Type> <indicator:Description> LIGHTDART is a tool used to access a pre-configured web page that hosts an interface to query a database or data set. The tool then downloads the results of a query against that web page to an encrypted RAR file. This RAR file (1.rar) is renamed and uploaded to an attacker controlled FTP server, or uploaded via an HTTP POST with a .jpg extension. The malware will execute this search once a day. The target webpage usually contains information useful to the attacker, which is updated on a regular basis. Examples of targeted information include weather information or ship coordinates. </indicator:Description> <indicator:Observable> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-b293ed0a-4d58-448e-8909-443bf9851bd4"/> <cybox:Observable idref="mandiant:observable-7a376a4f-ba1a-4087-a67a-932e0b067a40"/> <cybox:Observable idref="mandiant:observable-5ee901c4-9dc4-48af-ad16-11bbe10bac4d"/> <cybox:Observable idref="mandiant:observable-3d62bb44-8b90-4f90-8e32-899b4723053e"/> <cybox:Observable idref="mandiant:observable-0b520328-7c5f-4e5d-b126-7e96b673e522"/> <cybox:Observable idref="mandiant:observable-e6c21b58-a913-48b4-91cf-a0c04288c982"/> <cybox:Observable idref="mandiant:observable-8488c736-347a-4368-b17b-941b580ae3b3"/> <cybox:Observable idref="mandiant:observable-179cdf6b-64fd-4788-93ee-b0d6daf8d303"/> <cybox:Observable id="mandiant:observable-e946b1ba-5f4d-4b7d-a3d4-3e6535e1e92e"> <cybox:Observable_Composition operator="AND"> <cybox:Observable idref="mandiant:observable-71855453-31f3-493c-91a6-32fc88038fab"/> <cybox:Observable id="mandiant:observable-dcb57a76-3b7b-4844-8281-8595959b5986"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-f703be9f-71fc-4689-85ee-7b201a4a584d"/> <cybox:Observable idref="mandiant:observable-3d46f96b-eb2b-46d4-a839-c27f88cda084"/> </cybox:Observable_Composition> </cybox:Observable> <cybox:Observable id="mandiant:observable-2dd4ae56-a7ae-4bfc-8860-e95a08881150"> <cybox:Observable_Composition operator="OR"> <cybox:Observable idref="mandiant:observable-a549eb6c-10b1-4e86-acaf-3b8fca66e5da"/> <cybox:Observable idref="mandiant:observable-e07c1595-5f31-4f6f-9783-57382acf1aa4"/> <cybox:Observable idref="mandiant:observable-11940b1b-7c1b-494e-a779-dd7e3b4389d1"/> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </cybox:Observable> </cybox:Observable_Composition> </indicator:Observable> <indicator:Indicated_TTP> <stixCommon:TTP idref="mandiant:ttp-c63f31ac-871b-4846-aa25-de1926f4f3c8"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism xsi:type="openiocTM:OpenIOC2010TestMechanismType"> <openiocTM:ioc xmlns="http://schemas.mandiant.com/2010/ioc" id="fdfb2c22-d0c4-4bf0-8ea4-27d8d51f98ea" last-modified="2013-02-10T13:00:00"> <short_description>LIGHTDART (FAMILY)</short_description> <description>LIGHTDART is a tool used to access a pre-configured web page that hosts an interface to query a database or data set. The tool then downloads the results of a query against that web page to an encrypted RAR file. This RAR file (1.rar) is renamed and uploaded to an attacker controlled FTP server, or uploaded via an HTTP POST with a .jpg extension. The malware will execute this search once a day. The target webpage usually contains information useful to the attacker, which is updated on a regular basis. Examples of targeted information include weather information or ship coordinates.</description> <authored_by>Mandiant</authored_by> <authored_date>2013-02-10T06:11:53</authored_date> <links> <link rel="category">Utility</link> <link rel="threatgroup">APT</link> <link rel="family">APT1</link> <link rel="family">LIGHTDART</link> </links> <definition> <Indicator operator="OR" id="0302df0c-a056-48e2-99d2-7bfd23931cb6"> <IndicatorItem id="b293ed0a-4d58-448e-8909-443bf9851bd4" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">77afced93e20b1bb906796197fa1dd1d</Content> </IndicatorItem> <IndicatorItem id="7a376a4f-ba1a-4087-a67a-932e0b067a40" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">46acae84a04e41730d0502d9080bbb4a</Content> </IndicatorItem> <IndicatorItem id="5ee901c4-9dc4-48af-ad16-11bbe10bac4d" condition="is"> <Context document="FileItem" search="FileItem/Md5sum" type="mir"/> <Content type="md5">e7f728e3bce0e59c3ba973545a3b3a92</Content> </IndicatorItem> <IndicatorItem id="3d62bb44-8b90-4f90-8e32-899b4723053e" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">1.rar</Content> </IndicatorItem> <IndicatorItem id="0b520328-7c5f-4e5d-b126-7e96b673e522" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">ret.log</Content> </IndicatorItem> <IndicatorItem id="e6c21b58-a913-48b4-91cf-a0c04288c982" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">qy.htm</Content> </IndicatorItem> <IndicatorItem id="8488c736-347a-4368-b17b-941b580ae3b3" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">shsat.exe</Content> </IndicatorItem> <IndicatorItem id="179cdf6b-64fd-4788-93ee-b0d6daf8d303" condition="is"> <Context document="FileItem" search="FileItem/FileName" type="mir"/> <Content type="string">imxgy.exe</Content> </IndicatorItem> <Indicator operator="AND" id="e946b1ba-5f4d-4b7d-a3d4-3e6535e1e92e"> <IndicatorItem id="71855453-31f3-493c-91a6-32fc88038fab" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir"/> <Content type="string">checksum_is_zero</Content> <Comment>PE Header Anomaly identified in 100% samples.</Comment> </IndicatorItem> <Indicator operator="OR" id="dcb57a76-3b7b-4844-8281-8595959b5986"> <IndicatorItem id="f703be9f-71fc-4689-85ee-7b201a4a584d" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">28672</Content> </IndicatorItem> <IndicatorItem id="3d46f96b-eb2b-46d4-a839-c27f88cda084" condition="is"> <Context document="FileItem" search="FileItem/SizeInBytes" type="mir"/> <Content type="int">29184</Content> </IndicatorItem> </Indicator> <Indicator operator="OR" id="2dd4ae56-a7ae-4bfc-8860-e95a08881150"> <IndicatorItem id="a549eb6c-10b1-4e86-acaf-3b8fca66e5da" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-08-16T00:20:13Z</Content> <Comment>Compile time for imxgy.exe</Comment> </IndicatorItem> <IndicatorItem id="e07c1595-5f31-4f6f-9783-57382acf1aa4" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-09-06T02:40:00Z</Content> </IndicatorItem> <IndicatorItem id="11940b1b-7c1b-494e-a779-dd7e3b4389d1" condition="is"> <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir"/> <Content type="date">2010-11-15T00:54:34Z</Content> </IndicatorItem> </Indicator> </Indicator> </Indicator> </definition> </openiocTM:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> </stix:Indicators> <stix:Reports> <stix:Report timestamp="2015-05-15T09:00:00.000000Z" id="mandiant:Report-190593d6-1861-4cfe-b212-c016fce1e248" xsi:type="report:ReportType"> <report:Header> <report:Title>APT1 Report - Appendix G (IOCs) - Observables and OpenIOC</report:Title> <report:Intent xsi:type="stixVocabs:ReportIntentVocab-1.0">Indicators</report:Intent> <report:Description>This report contains the IOCs referenced in Appendix G of the APT1 report.</report:Description> </report:Header> <report:Observables cybox_major_version="2" cybox_minor_version="1"> <cybox:Observable idref="mandiant:observable-b7013416-7e77-4078-a0bd-a33b49c7cb2f"/> <cybox:Observable idref="mandiant:observable-749eea4e-2812-4b4d-bba9-4292bedc05a2"/> <cybox:Observable idref="mandiant:observable-2d244ba9-73e0-4270-96aa-64f1c8935d27"/> <cybox:Observable idref="mandiant:observable-41207254-a9d7-4b95-9080-a4d8905d2fd5"/> <cybox:Observable idref="mandiant:observable-df3e85c7-82a9-4032-b860-03c5e891d3b0"/> <cybox:Observable idref="mandiant:observable-da666dfb-6d51-4374-b0b0-3a896d06f3dc"/> <cybox:Observable idref="mandiant:observable-94ab92ad-b5e9-4ebe-bd9f-125b97511e7a"/> <cybox:Observable idref="mandiant:observable-7ff03fbe-0077-44dc-b1a3-fa9771b3302a"/> <cybox:Observable idref="mandiant:observable-266e75ec-5639-4d5d-b094-c59173a61b13"/> <cybox:Observable idref="mandiant:observable-30d852eb-43c9-4ab4-b602-ae7fd7636216"/> <cybox:Observable idref="mandiant:observable-995a7833-1780-4b17-b5fa-944f6d8f51b1"/> <cybox:Observable idref="mandiant:observable-af887012-42d2-4a98-9c91-91fa99f5986a"/> <cybox:Observable idref="mandiant:observable-fccec804-ae93-4ea1-9cc6-8795523b7ec6"/> <cybox:Observable idref="mandiant:observable-cbf27d57-cf18-40b5-a706-8501083e46ae"/> <cybox:Observable idref="mandiant:observable-3cfaf45b-31a1-4f1e-a690-09f132e5c612"/> <cybox:Observable idref="mandiant:observable-c39b79ba-460e-4619-bf49-73a4a81e256d"/> <cybox:Observable idref="mandiant:observable-300bc2bd-1cdc-4c94-90e0-54bba1f9bbae"/> <cybox:Observable idref="mandiant:observable-e1ec420f-4c61-480d-99ef-dca3254fb0a2"/> <cybox:Observable idref="mandiant:observable-20ac1c71-1cd4-4e0b-8001-80fc3e3fac96"/> <cybox:Observable idref="mandiant:observable-1e9eb511-73b2-485f-9b1b-991bc4313913"/> <cybox:Observable idref="mandiant:observable-772dc61f-ba08-498e-b2de-a2b98f5b08c5"/> <cybox:Observable idref="mandiant:observable-c8991eaa-9d25-4658-8d95-dd02938d5b90"/> <cybox:Observable idref="mandiant:observable-4508d1fa-2def-4e7b-aef0-2335da307d42"/> <cybox:Observable idref="mandiant:observable-d781ac40-1769-4f52-b3c5-bf744801c2ff"/> <cybox:Observable idref="mandiant:observable-3349f01e-f085-410f-a055-dbcf0d4d62ec"/> <cybox:Observable idref="mandiant:observable-a51dbcf4-a440-4957-8dfb-ab407283f7bf"/> <cybox:Observable idref="mandiant:observable-e7dc9205-07d0-4007-980b-5aadb24c9c9c"/> <cybox:Observable idref="mandiant:observable-be3334f5-8e3f-41d2-b240-d454b901915b"/> <cybox:Observable idref="mandiant:observable-f5c39a66-9c50-4f6e-824f-087289bce12e"/> <cybox:Observable idref="mandiant:observable-c7102c3d-c443-41f6-8613-32a8d0971c84"/> <cybox:Observable idref="mandiant:observable-26a44cdc-4243-4e9c-ace8-5377aec75419"/> <cybox:Observable idref="mandiant:observable-decf5fd1-bb0a-4520-aa86-775963a75eb3"/> <cybox:Observable idref="mandiant:observable-a3199552-d951-4538-8438-a0b1dfac9924"/> <cybox:Observable idref="mandiant:observable-33314588-1d58-4e2e-8125-d19bbdad8a23"/> <cybox:Observable idref="mandiant:observable-2fd9d81c-477d-488f-b431-80547d6d9837"/> <cybox:Observable idref="mandiant:observable-473e0cbd-617c-49a8-9703-f25760a24d4b"/> <cybox:Observable idref="mandiant:observable-613cdf6d-f9ad-49d6-a945-657873891371"/> <cybox:Observable idref="mandiant:observable-1158e81e-fd49-4a75-9f74-fcd2a96dc841"/> <cybox:Observable idref="mandiant:observable-64c5cd50-f681-41ee-a85e-1395938d2f4f"/> <cybox:Observable idref="mandiant:observable-6641cfcb-3e4b-4466-aec8-0bd4422748e3"/> <cybox:Observable idref="mandiant:observable-538aa92b-e73d-497f-8fe5-b5b60897782f"/> <cybox:Observable idref="mandiant:observable-64d2746e-a20b-4fae-af67-06e8221ea112"/> <cybox:Observable idref="mandiant:observable-77f946d9-bd9f-49aa-bd2b-9891b55b6adb"/> <cybox:Observable idref="mandiant:observable-2ec17dff-0a4b-4404-bfb9-5513d655a047"/> <cybox:Observable idref="mandiant:observable-9a7022fc-e399-4a93-91dd-9714edabc42f"/> <cybox:Observable idref="mandiant:observable-dae02941-49da-4a9f-b1a6-217aa976d3b4"/> <cybox:Observable idref="mandiant:observable-5bd1bbcc-1397-4088-808e-7fee1ed4554d"/> <cybox:Observable idref="mandiant:observable-a8a846b7-9862-4fb2-ae26-0092fd74545f"/> <cybox:Observable idref="mandiant:observable-34c94390-75ac-4859-9caf-bf021e9ed0ce"/> <cybox:Observable idref="mandiant:observable-bb05e832-320d-484c-984e-7c9004b71ab1"/> <cybox:Observable idref="mandiant:observable-23166621-b363-4d13-8d2a-36848bbf62ef"/> <cybox:Observable idref="mandiant:observable-18f011f0-f745-4a17-9489-4b313b78430c"/> <cybox:Observable idref="mandiant:observable-32d9d3e3-247a-4814-871c-a2babb11470d"/> <cybox:Observable idref="mandiant:observable-275c7cf8-3fec-4250-8321-44beaf6fd69a"/> <cybox:Observable idref="mandiant:observable-0f2e40fe-a821-4e2d-84a5-4b76a184012e"/> <cybox:Observable idref="mandiant:observable-06c9e45a-f169-42a1-9b13-897af75de113"/> <cybox:Observable idref="mandiant:observable-8d300eb0-cb97-4330-93dc-843a8cc7e2aa"/> <cybox:Observable idref="mandiant:observable-aef94cef-dc4e-4b2a-8225-9d95136bc755"/> <cybox:Observable idref="mandiant:observable-5023dbc8-9694-4991-82f6-45fe4d5540ca"/> <cybox:Observable idref="mandiant:observable-f0444f6b-c0d5-4260-b3a3-c9c68e4af739"/> <cybox:Observable idref="mandiant:observable-d525d2c9-f65c-4758-9f9e-af6b0d579663"/> <cybox:Observable idref="mandiant:observable-2ac47a09-7e4b-4ac4-bb5c-7d52464884d7"/> <cybox:Observable idref="mandiant:observable-cac4805b-02ec-4cb2-b858-3b27d38cb682"/> <cybox:Observable idref="mandiant:observable-28a1d405-9c3f-4d9f-aa23-6de71d4bc41e"/> <cybox:Observable idref="mandiant:observable-6197cea2-6385-465b-9fcd-78bebdc39af2"/> <cybox:Observable idref="mandiant:observable-47d34f53-7514-4df6-b7c4-2e668fe5e25b"/> <cybox:Observable idref="mandiant:observable-8998f977-7229-4133-93fa-199947f79e15"/> <cybox:Observable idref="mandiant:observable-b27d81e7-e6f1-46ad-b4ec-ecca558965b8"/> <cybox:Observable idref="mandiant:observable-70082008-096d-40ca-8c83-e14beffe88f5"/> <cybox:Observable idref="mandiant:observable-50006157-6205-472e-afd6-9efebcd100ad"/> <cybox:Observable idref="mandiant:observable-4477fab7-4163-4af1-ad10-3fc91bd3b4c2"/> <cybox:Observable idref="mandiant:observable-38b1e400-a382-465d-96dc-1dfab9c6b6b1"/> <cybox:Observable idref="mandiant:observable-3a96f94b-5379-4a81-b5f9-fa09afcc08a1"/> <cybox:Observable idref="mandiant:observable-7a940ca1-edde-4409-b21a-ce7fb46b077e"/> <cybox:Observable idref="mandiant:observable-9e80350c-058f-461b-9064-61af37e28f8c"/> <cybox:Observable idref="mandiant:observable-96232b18-df03-4e8b-86ea-204500bb30ca"/> <cybox:Observable idref="mandiant:observable-3baabbac-2dce-450c-9330-321c727d4fce"/> <cybox:Observable idref="mandiant:observable-516da75b-a9ce-40dc-8d9c-f45672885599"/> <cybox:Observable idref="mandiant:observable-afd2f86b-3c67-4203-aa53-06f3e7387abf"/> <cybox:Observable idref="mandiant:observable-c6fcda16-4d86-41f5-86a2-2e4ad40641f5"/> <cybox:Observable idref="mandiant:observable-30cdb260-0f62-4ded-9ba2-19e9c518c9d5"/> <cybox:Observable idref="mandiant:observable-481c3313-50c7-4159-9b24-e3d0078d0cc1"/> <cybox:Observable idref="mandiant:observable-c0effb84-c3e6-47f6-a3da-08f5491c42de"/> <cybox:Observable idref="mandiant:observable-7a0f19f5-055f-4d1a-94a0-61659717d4c4"/> <cybox:Observable idref="mandiant:observable-57ae3129-905d-4e92-b377-b96bd539ae84"/> <cybox:Observable idref="mandiant:observable-2a3b7d04-9696-444c-b1ac-c2661327b87f"/> <cybox:Observable idref="mandiant:observable-8ab89f41-c82d-49d3-a4bd-97c01be38ff4"/> <cybox:Observable idref="mandiant:observable-b269a41a-09b6-4e11-b395-3a84a69ab486"/> <cybox:Observable idref="mandiant:observable-58f6187b-36c7-452f-82c5-dd649f81aab9"/> <cybox:Observable idref="mandiant:observable-bb9dd9d0-794e-47aa-9922-d287db0eda13"/> <cybox:Observable idref="mandiant:observable-9c91f63b-3221-42dc-b68f-a8a9637526c0"/> <cybox:Observable idref="mandiant:observable-8555081f-f434-44c9-8704-682ffb833118"/> <cybox:Observable idref="mandiant:observable-9e9b3fc8-dca1-4b8d-97b8-2f934db54bfc"/> <cybox:Observable idref="mandiant:observable-86127e61-8b13-43b4-be1a-55cdcb39ec21"/> <cybox:Observable idref="mandiant:observable-5b4e926d-04c3-42f5-aecf-b999c6c05848"/> <cybox:Observable idref="mandiant:observable-48c6cd00-0079-4c5b-a110-1365bf086141"/> <cybox:Observable idref="mandiant:observable-ecd8afec-bd5a-4450-9629-5461f89ddd4d"/> <cybox:Observable idref="mandiant:observable-2e081c5e-ade1-418e-b529-abca2aabe25a"/> <cybox:Observable idref="mandiant:observable-e4cc9324-dfe2-47a6-b7bc-20ca16fa2ee6"/> <cybox:Observable idref="mandiant:observable-30c32ef6-bc23-46d8-82a2-726a4ea928d1"/> <cybox:Observable idref="mandiant:observable-f9d1ec1d-866a-4784-8c86-99fffe93185a"/> <cybox:Observable idref="mandiant:observable-d55f6ff6-48ad-4328-b663-dc2c6da7641f"/> <cybox:Observable idref="mandiant:observable-79268e88-068f-4cdd-9ff6-c082e547ec53"/> <cybox:Observable idref="mandiant:observable-9afbad71-cb40-4d0c-b6ae-46cadb3db781"/> <cybox:Observable idref="mandiant:observable-2588b066-a161-44d4-902b-62ef027e37bd"/> <cybox:Observable idref="mandiant:observable-cf4f20e4-6bb5-4a81-ad07-7de57b0d4180"/> <cybox:Observable idref="mandiant:observable-0a1e6213-3002-4ec0-a4e6-d6b429d3b69b"/> <cybox:Observable idref="mandiant:observable-3b9b8c92-5f09-4e1b-afe7-df0294ba9686"/> <cybox:Observable idref="mandiant:observable-dc7e7a14-05fc-41f5-9675-b6c6eb1552d2"/> <cybox:Observable idref="mandiant:observable-f4c09e1d-7087-47c6-90a1-eceae9d82ad2"/> <cybox:Observable idref="mandiant:observable-b213c45c-ffd2-4475-a260-5e4438bb7d07"/> <cybox:Observable idref="mandiant:observable-e17f6723-f44f-42ce-9463-12675262ab9e"/> <cybox:Observable idref="mandiant:observable-c96f2ec0-0741-4309-b7a0-d3c402b9b28f"/> <cybox:Observable idref="mandiant:observable-04fbd074-b06b-4f5b-9437-d6f0b0f3b230"/> <cybox:Observable idref="mandiant:observable-7ed3aec7-4da9-4abd-af8f-614d0053aa9c"/> <cybox:Observable idref="mandiant:observable-0713088c-194b-4cc1-a491-ed154bf82d92"/> <cybox:Observable idref="mandiant:observable-fac0b607-932f-404a-96e0-69b19a1f6399"/> <cybox:Observable idref="mandiant:observable-4d9d2497-c5ae-45d0-bb53-f6bd171de802"/> <cybox:Observable idref="mandiant:observable-6a0fec6b-6e86-4d0e-a7b4-74d5fa99fdd6"/> <cybox:Observable idref="mandiant:observable-eb90e9a9-70ab-44b3-b34f-5140172354c4"/> <cybox:Observable idref="mandiant:observable-6bdbb07f-5f6e-4806-b78c-b3d73f92b911"/> <cybox:Observable idref="mandiant:observable-f182b0d0-f9d4-421c-bde7-e0427f0beea3"/> <cybox:Observable idref="mandiant:observable-33fb6f35-7e9e-4453-9f16-dc4371893d1d"/> <cybox:Observable idref="mandiant:observable-446de80d-55b4-43f7-a123-e1db1058bc9c"/> <cybox:Observable idref="mandiant:observable-dc38792a-69ad-44bf-89c0-f45452609235"/> <cybox:Observable idref="mandiant:observable-ad1165f3-4a6e-4d70-bdd3-d09b263abd22"/> <cybox:Observable idref="mandiant:observable-088967e0-f8cc-47a8-b8a1-d597581ba44a"/> <cybox:Observable idref="mandiant:observable-2f58f03c-388f-431e-8205-d1f06d859caa"/> <cybox:Observable idref="mandiant:observable-b04ad4fe-6bbc-4f51-924b-cc770f52f2cc"/> <cybox:Observable idref="mandiant:observable-b3dd9dac-18f4-4cf2-9766-0fc8341604ba"/> <cybox:Observable idref="mandiant:observable-6730ced8-9060-44cb-8b72-7036cf5e3ad8"/> <cybox:Observable idref="mandiant:observable-deee105c-12d9-4cca-8bc6-7b681753f050"/> <cybox:Observable idref="mandiant:observable-d4a19b79-a3a6-4e67-907c-4fea87ae4f2f"/> <cybox:Observable idref="mandiant:observable-c8825928-db80-47ac-9755-e3c05acbb2fc"/> <cybox:Observable idref="mandiant:observable-313b9bab-caf4-48b2-9dcd-b9b018f2ca5c"/> <cybox:Observable idref="mandiant:observable-262cfae5-c684-40bf-b777-5cd4799dcfc9"/> <cybox:Observable idref="mandiant:observable-dfecc66f-e6d8-49ce-b21a-b0fa6f917008"/> <cybox:Observable idref="mandiant:observable-94f66886-459b-430d-90de-7f0a8a81c257"/> <cybox:Observable idref="mandiant:observable-aca8aa51-a223-40ab-8329-f1845a846ca0"/> <cybox:Observable idref="mandiant:observable-886415c2-623d-40bb-b324-b880fb4d1dab"/> <cybox:Observable idref="mandiant:observable-f783f0ee-82e9-4752-b392-efbd3120ad98"/> <cybox:Observable idref="mandiant:observable-db07a6d3-0cbb-4dca-a49a-83b598215c01"/> <cybox:Observable idref="mandiant:observable-94926b82-e2d1-4af9-a4d0-dd56283a2d53"/> <cybox:Observable idref="mandiant:observable-a828169a-b40a-42bc-8be0-7a73461ea47f"/> <cybox:Observable idref="mandiant:observable-a340c536-131a-4b82-9c17-ab9256120b7a"/> <cybox:Observable idref="mandiant:observable-52ff7f5b-b18d-46c7-beec-e4ff4ca1b40b"/> <cybox:Observable idref="mandiant:observable-01ff1530-4688-471a-984d-58e9fcefb82a"/> <cybox:Observable idref="mandiant:observable-cf0dcd37-f55d-4b8e-9310-944ab627f3de"/> <cybox:Observable idref="mandiant:observable-52578931-211e-4c14-89de-3351ba97eae3"/> <cybox:Observable idref="mandiant:observable-08b40441-1179-4a43-a19c-84225cbd4e9b"/> <cybox:Observable idref="mandiant:observable-587379ba-23fa-4399-a47d-1e8a9abac22d"/> <cybox:Observable idref="mandiant:observable-036e3e8a-21ed-43d1-bead-639723eb5250"/> <cybox:Observable idref="mandiant:observable-03d9dd67-e0e0-4282-8e0a-7e97c2b787f3"/> <cybox:Observable idref="mandiant:observable-5fc14e27-5c2d-400d-a041-d3f9a351efb3"/> <cybox:Observable idref="mandiant:observable-e2eba2bf-9d47-4c20-aaa9-f2cc2d2b7dde"/> <cybox:Observable idref="mandiant:observable-b68a4775-fbbd-4460-aaac-99574efa6259"/> <cybox:Observable idref="mandiant:observable-a3d59d13-245e-4138-841b-e6717cca81f0"/> <cybox:Observable idref="mandiant:observable-672bc832-720b-4555-8e57-9b7d04dfaa69"/> <cybox:Observable idref="mandiant:observable-e2a510e4-730b-4a3a-9309-e5bb485ceda4"/> <cybox:Observable idref="mandiant:observable-7e4e361a-2b41-4352-9e59-6dd9b9451bb0"/> <cybox:Observable idref="mandiant:observable-3867dff7-15d9-448f-b4cd-7305b8bbc37f"/> <cybox:Observable idref="mandiant:observable-5aa85a39-c0af-465a-843a-257fd5b6c585"/> <cybox:Observable idref="mandiant:observable-f282192c-e23c-4c24-a18a-92553cad4e17"/> <cybox:Observable idref="mandiant:observable-5fcf6eda-d58c-4ed0-a97e-80a5c9393a78"/> <cybox:Observable idref="mandiant:observable-5bd61fb0-a61d-465d-bbec-22e606c97254"/> <cybox:Observable idref="mandiant:observable-19d1c945-f06d-4858-8c90-c19a5cf6059d"/> <cybox:Observable idref="mandiant:observable-be478e8d-6e76-427b-b19e-4cbc7f9b9459"/> <cybox:Observable idref="mandiant:observable-63359ec3-c1c1-4217-a698-1500bbac1937"/> <cybox:Observable idref="mandiant:observable-e486cb73-c290-4099-aefd-52650bd425b6"/> <cybox:Observable idref="mandiant:observable-528d6d2b-6bfe-4cbe-a1d7-7fa4d2304fc8"/> <cybox:Observable idref="mandiant:observable-5c088198-0b7a-4eab-bd26-3591ab2d9ff0"/> <cybox:Observable idref="mandiant:observable-5f85346b-8124-4f38-8af7-f7ecb05db34e"/> <cybox:Observable idref="mandiant:observable-f2e7493a-a858-4d38-bb8f-cb51725d7197"/> <cybox:Observable idref="mandiant:observable-ae032710-5891-4588-b255-ec1bcf04d227"/> <cybox:Observable idref="mandiant:observable-90181041-7e54-4d69-8305-3b1db1feaf13"/> <cybox:Observable idref="mandiant:observable-5147aced-2af6-4b61-9db9-9842cb4692a7"/> <cybox:Observable idref="mandiant:observable-00676dcf-c5cb-4918-9b9d-6ee12587bf6f"/> <cybox:Observable idref="mandiant:observable-6e0f4f57-9b9f-4adf-b34e-2cf20db7955a"/> <cybox:Observable idref="mandiant:observable-c847c5ba-6bd5-4692-8651-077f72771891"/> <cybox:Observable idref="mandiant:observable-ca84737a-e426-43d7-a145-7a8778a57353"/> <cybox:Observable idref="mandiant:observable-817ecb8f-d922-41d1-8da1-c01d4a4f272c"/> <cybox:Observable idref="mandiant:observable-78215b3b-52b0-4720-886d-a416312c4236"/> <cybox:Observable idref="mandiant:observable-10b1ba03-b276-4295-8c03-b17be46d3485"/> <cybox:Observable idref="mandiant:observable-e58150ca-8af3-4b2b-9659-7351a42cb26c"/> <cybox:Observable idref="mandiant:observable-19a33044-b55b-4b13-ba16-82faddbfad8b"/> <cybox:Observable idref="mandiant:observable-0f112a97-c7cd-447f-bf38-2f3b3a5a14e6"/> <cybox:Observable idref="mandiant:observable-86677460-02a8-4ab5-b707-11bf120664af"/> <cybox:Observable idref="mandiant:observable-104e8295-9b63-4595-90ea-d0cd9a18d93c"/> <cybox:Observable idref="mandiant:observable-a115f280-dc6c-4aab-8fc4-f640ebf7a599"/> <cybox:Observable idref="mandiant:observable-62ffa38b-9aab-4b6c-890e-5ac830ebd648"/> <cybox:Observable idref="mandiant:observable-111eb85c-83ea-4427-a8c9-ea9ad705bfa9"/> <cybox:Observable idref="mandiant:observable-ddfc26c5-69c1-4ad4-9290-28da46bd2a7b"/> <cybox:Observable idref="mandiant:observable-45f9c1d9-1a20-4289-b3e4-72035cc5f54d"/> <cybox:Observable idref="mandiant:observable-526c052f-dd62-4a18-a752-0ec9465a452c"/> <cybox:Observable idref="mandiant:observable-81542abd-8975-47bd-ab2a-657b2fb140fa"/> <cybox:Observable idref="mandiant:observable-4b915b30-cf6d-46bc-b5b2-5351595ad4af"/> <cybox:Observable idref="mandiant:observable-c0da7416-a51a-44f3-a64c-abcbdf00b8b4"/> <cybox:Observable idref="mandiant:observable-38828ede-349a-40d9-961f-bed923058774"/> <cybox:Observable idref="mandiant:observable-dedc26f8-efce-45e0-80c5-b1ed8a00cd89"/> <cybox:Observable idref="mandiant:observable-11534ab5-3378-4741-b68b-478e0a28fc15"/> <cybox:Observable idref="mandiant:observable-22b5f861-72fb-4fa5-a0b1-1693fc0f191d"/> <cybox:Observable idref="mandiant:observable-f39f176a-4b56-4be2-a179-8c89961c9683"/> <cybox:Observable idref="mandiant:observable-5e398c96-f8d9-4d5f-9753-f416d5e8ae49"/> <cybox:Observable idref="mandiant:observable-20e50cd6-96c3-41d8-9adc-2292fa4bdc7b"/> <cybox:Observable idref="mandiant:observable-80667694-eb92-41a9-9165-6ed899daf12f"/> <cybox:Observable idref="mandiant:observable-758e4343-da6a-4027-aeb3-e6c8dd5c4cff"/> <cybox:Observable idref="mandiant:observable-398ce8b3-2b65-443c-9063-6552f05cfb2f"/> <cybox:Observable idref="mandiant:observable-121b193a-987d-44ee-81f1-05c6cf4ea96f"/> <cybox:Observable idref="mandiant:observable-5a0f7b94-948e-4299-be06-823550dd1b33"/> <cybox:Observable idref="mandiant:observable-bc8911a3-2177-4c1a-850a-478b34ac2fe4"/> <cybox:Observable idref="mandiant:observable-935eb617-dec2-4ba9-9aa5-cf2a42c30722"/> <cybox:Observable idref="mandiant:observable-8b9e7dbf-c817-4807-bff6-bdf646120e0c"/> <cybox:Observable idref="mandiant:observable-f3678b88-9342-45c7-b7fa-b44979617005"/> <cybox:Observable idref="mandiant:observable-55dec592-caaf-426b-9fcf-219e50b3a013"/> <cybox:Observable idref="mandiant:observable-f40fc85a-9081-409c-bb85-2c60cd1b27e3"/> <cybox:Observable idref="mandiant:observable-4166b560-dd02-4d08-9074-b28749ced2f5"/> <cybox:Observable idref="mandiant:observable-7a01cc6b-b5ab-4790-a5d4-87b2fdf5428c"/> <cybox:Observable idref="mandiant:observable-2d8255d2-641a-4761-a6a5-771bd74344eb"/> <cybox:Observable idref="mandiant:observable-25da2178-8ba7-43f0-bfbf-ec6184930dd9"/> <cybox:Observable idref="mandiant:observable-19cb7aea-26cb-41b7-afd7-356606ca4434"/> <cybox:Observable idref="mandiant:observable-e9e4fa0f-9186-4f02-b8d3-412690f80aba"/> <cybox:Observable idref="mandiant:observable-12c7431c-d0f0-4b3c-ae1d-db0622b1c4ec"/> <cybox:Observable idref="mandiant:observable-96cb3701-ae2b-4fba-b108-28f79b1760a2"/> <cybox:Observable idref="mandiant:observable-3a86f589-7791-4ece-9a53-fe3872c814f4"/> <cybox:Observable idref="mandiant:observable-e8b9edd9-a3eb-462f-b8ec-22c0d7625359"/> <cybox:Observable idref="mandiant:observable-8a8fadb8-96e5-46da-b874-ba9522968577"/> <cybox:Observable idref="mandiant:observable-96064940-6bcb-43b7-b2a8-dd7671c61f27"/> <cybox:Observable idref="mandiant:observable-09513ce3-4ec5-4070-87b4-6ceecf28d66b"/> <cybox:Observable idref="mandiant:observable-b682a1b6-3efb-40dd-8262-26c99582e34d"/> <cybox:Observable idref="mandiant:observable-f170ec88-3afa-4602-b72b-3b05732b8a59"/> <cybox:Observable idref="mandiant:observable-67bb1f06-e71f-4d6a-8c4d-45d590e25859"/> <cybox:Observable idref="mandiant:observable-e786a178-8f96-4821-8a2f-9aea0b04bd69"/> <cybox:Observable idref="mandiant:observable-9bc2e53d-1fef-44b0-ad66-93329a14b18e"/> <cybox:Observable idref="mandiant:observable-b047a969-9ee5-4c47-b905-3d57dea106a8"/> <cybox:Observable idref="mandiant:observable-86cbbc7b-8373-4483-8cb4-f74d0d316b08"/> <cybox:Observable idref="mandiant:observable-fe1b00c1-9945-4e94-9b8a-da1c14dfd592"/> <cybox:Observable idref="mandiant:observable-4fde81d5-41b6-4e33-a221-d1dd64868f44"/> <cybox:Observable idref="mandiant:observable-21217a83-702c-4696-9328-e9220355868c"/> <cybox:Observable idref="mandiant:observable-a2fa50e8-4165-4f32-9f0e-3fe5f47663c8"/> <cybox:Observable idref="mandiant:observable-93f74395-d7e8-4a5f-9459-75b93dfb5652"/> <cybox:Observable idref="mandiant:observable-4bf1eba4-af8e-4d7d-a794-6337cef6d77b"/> <cybox:Observable idref="mandiant:observable-88fe1d0b-51cc-406e-816d-3d1877d161ab"/> <cybox:Observable idref="mandiant:observable-2f4f9327-0216-44c8-9e53-1d23698caf72"/> <cybox:Observable idref="mandiant:observable-7e923e4e-4ac5-4c6e-8ba0-7ae8bcb2851e"/> <cybox:Observable idref="mandiant:observable-ddfdbf22-1590-4527-b017-224b8a2f24b6"/> <cybox:Observable idref="mandiant:observable-32fcff4b-7c5f-4e34-9783-edb887fe73a5"/> <cybox:Observable idref="mandiant:observable-fa85a793-627a-48ce-91bc-e425c497a932"/> <cybox:Observable idref="mandiant:observable-c125aae2-69c3-4eb7-9293-c24c51d15b1c"/> <cybox:Observable idref="mandiant:observable-75074d1b-d72f-4fb0-bd5f-6eac577a6c63"/> <cybox:Observable idref="mandiant:observable-c6941c3a-15e4-47f3-b81b-74992538f067"/> <cybox:Observable idref="mandiant:observable-bc4e6a25-4073-40b9-abb2-ff9697fb2d13"/> <cybox:Observable idref="mandiant:observable-832e2c3f-0f51-46ff-940b-21ce999aef50"/> <cybox:Observable idref="mandiant:observable-a58f5ff2-8dbe-4926-a86f-08b0bf6e24bc"/> <cybox:Observable idref="mandiant:observable-3fc7d896-24f6-4a68-88a4-6b6bbb30284b"/> <cybox:Observable idref="mandiant:observable-e4ec6bc3-ca87-46ed-aa7d-7236e3df15d6"/> <cybox:Observable idref="mandiant:observable-4f7a652e-3392-4c4a-8ee2-301968a34507"/> <cybox:Observable idref="mandiant:observable-8284e473-1c40-4317-88e4-2274a05f8699"/> <cybox:Observable idref="mandiant:observable-8399140e-d68f-4e6a-bcc1-b1a2866c4bc3"/> <cybox:Observable idref="mandiant:observable-19c390ad-2f2f-40c0-8da5-1bf39de9e31a"/> <cybox:Observable idref="mandiant:observable-b48100bd-5e0c-4d2e-bcfa-448b44abe524"/> <cybox:Observable idref="mandiant:observable-a75807dd-ffca-40c5-86b4-9dcde61a7c6b"/> <cybox:Observable idref="mandiant:observable-af2c684f-d214-4b14-bbba-41682eca0e54"/> <cybox:Observable idref="mandiant:observable-c096ca67-e918-4e0f-b208-782e3a511516"/> <cybox:Observable idref="mandiant:observable-35fdebd5-e7f5-44dd-a0d6-f4e217da8814"/> <cybox:Observable idref="mandiant:observable-34bf75f7-6bbd-4646-9858-d1e3f5ee4188"/> <cybox:Observable idref="mandiant:observable-16d176ee-fd34-4de9-8bd6-71471e36fc03"/> <cybox:Observable idref="mandiant:observable-590352a7-f3a5-461e-8e21-505d650b2f22"/> <cybox:Observable idref="mandiant:observable-c2d77748-b66a-4d1f-965d-856eb1f22973"/> <cybox:Observable idref="mandiant:observable-a8b83474-9470-466c-961a-06bd8b2bd434"/> <cybox:Observable idref="mandiant:observable-ac064633-5ad5-430e-9860-6c0603308d93"/> <cybox:Observable idref="mandiant:observable-e7e4d3e5-b086-4b23-92c0-3e6aa1032123"/> <cybox:Observable idref="mandiant:observable-ed3723b5-d790-4b78-a409-b5949bc0cf53"/> <cybox:Observable idref="mandiant:observable-d8b9f7dc-1a88-413e-9968-5091c69c1178"/> <cybox:Observable idref="mandiant:observable-138d69cb-271e-4ba6-b059-352fbdf7efaa"/> <cybox:Observable idref="mandiant:observable-a5a8e2b5-3d88-4363-aa86-7bf57d0c7488"/> <cybox:Observable idref="mandiant:observable-022b41f1-9afe-45d6-af8b-1b157177025d"/> <cybox:Observable idref="mandiant:observable-ecc8fb90-5a68-4963-9b33-03ede415351b"/> <cybox:Observable idref="mandiant:observable-5b4f193e-557f-4224-bb18-cda6555dc52f"/> <cybox:Observable idref="mandiant:observable-20070b1b-c544-40e4-88b0-fc7533f9bda7"/> <cybox:Observable idref="mandiant:observable-4f356464-9e28-470f-8b4d-67553bdee05c"/> <cybox:Observable idref="mandiant:observable-db01b082-bfca-4493-9a89-c5ea64768065"/> <cybox:Observable idref="mandiant:observable-56267a8f-9633-4937-8de4-9085d355b3f2"/> <cybox:Observable idref="mandiant:observable-d5c98410-ee98-458e-a5b6-be970abb3a43"/> <cybox:Observable idref="mandiant:observable-428d8ae8-11ac-41c8-8cf8-e3626f976635"/> <cybox:Observable idref="mandiant:observable-a7ea89f3-847c-444d-b329-f1f93bf43d24"/> <cybox:Observable idref="mandiant:observable-14bf2c6c-2c39-44c8-92ed-caf34aa76456"/> <cybox:Observable idref="mandiant:observable-139fc1a6-e5f8-478f-ac4c-4e5ef4d5d7a7"/> <cybox:Observable idref="mandiant:observable-3e297215-861a-4a94-be92-bf2ae19f5065"/> <cybox:Observable idref="mandiant:observable-df4b6821-3b96-4864-b5a8-b1379ee80bb8"/> <cybox:Observable idref="mandiant:observable-3d73fee4-f73b-444d-835d-725a8a0b5da3"/> <cybox:Observable idref="mandiant:observable-322864bd-4a3c-4984-bb39-51da6c8289fb"/> <cybox:Observable idref="mandiant:observable-5782120d-8b59-4fe7-b2a3-2a0e7b784b90"/> <cybox:Observable idref="mandiant:observable-43aea2f9-7628-4e20-a806-0bab8a42187b"/> <cybox:Observable idref="mandiant:observable-a6ae527a-4736-42f6-ad14-fa5a699c92a3"/> <cybox:Observable idref="mandiant:observable-a06d67f2-5d6b-4119-b372-abeb3dc7d86b"/> <cybox:Observable idref="mandiant:observable-902d348a-920e-4ff6-8273-e23f511b3b29"/> <cybox:Observable idref="mandiant:observable-87eb54a8-f79e-453d-be63-59be0cd1e89b"/> <cybox:Observable idref="mandiant:observable-6112d863-22f8-410e-bf85-b7db8db31d16"/> <cybox:Observable idref="mandiant:observable-3ffa3bbe-9aba-43e5-a666-2bbc257ff4d7"/> <cybox:Observable idref="mandiant:observable-5ead8152-11d7-4bdc-bede-e89a31a6cad7"/> <cybox:Observable idref="mandiant:observable-633c3d70-d0d1-4a51-ac4d-a10347330777"/> <cybox:Observable idref="mandiant:observable-8ae14feb-b1a3-4efd-bc56-4dde8bc4acab"/> <cybox:Observable idref="mandiant:observable-1834b578-a4be-4368-8b16-1ebd1fbad785"/> <cybox:Observable idref="mandiant:observable-ebd1abe7-a473-48ba-8f43-9c132883cc15"/> <cybox:Observable idref="mandiant:observable-e8123462-e31b-48f3-bc72-43f2061c5850"/> <cybox:Observable idref="mandiant:observable-0955e2d7-eefb-4653-81c1-fb44041ece9b"/> <cybox:Observable idref="mandiant:observable-198a474b-cd29-445e-b670-900bab9d89fe"/> <cybox:Observable idref="mandiant:observable-3423d033-ef73-47cc-ac49-456452172b5f"/> <cybox:Observable idref="mandiant:observable-84c7d82b-c944-44f5-ae10-33521558866e"/> <cybox:Observable idref="mandiant:observable-cc9ba9e2-bb3f-4645-b767-6a86f33433f2"/> <cybox:Observable idref="mandiant:observable-cca8138c-efa2-4e49-9296-a27fffa4f379"/> <cybox:Observable idref="mandiant:observable-f6e29a86-ebd9-484c-9445-b6879146facf"/> <cybox:Observable idref="mandiant:observable-1e3246bf-6226-44c1-9739-bd53c5ed47c3"/> <cybox:Observable idref="mandiant:observable-87007f79-881f-4fee-a54a-6f9bf854422c"/> <cybox:Observable idref="mandiant:observable-128fa1b4-9034-4ccf-909f-e17f73532284"/> <cybox:Observable idref="mandiant:observable-7834fd6a-84a4-4885-ba74-0b2d7df12659"/> <cybox:Observable idref="mandiant:observable-7da7bff8-68f7-4234-92da-c3c509e883af"/> <cybox:Observable idref="mandiant:observable-293506cc-415b-468e-b9e2-3852d474652b"/> <cybox:Observable idref="mandiant:observable-fdec4448-5911-4572-a95a-cf61e3c0f9c2"/> <cybox:Observable idref="mandiant:observable-fab392cc-1376-46ec-8e2c-4fa4e704869d"/> <cybox:Observable idref="mandiant:observable-4ba6db3f-ca2d-46ce-8a75-eaba4b20a2bf"/> <cybox:Observable idref="mandiant:observable-73990b98-2df1-40ac-ab89-8d805e2a67bf"/> <cybox:Observable idref="mandiant:observable-4f469a10-6cd2-486f-8b81-0b0156c1888b"/> <cybox:Observable idref="mandiant:observable-98aa4299-4820-4d53-bb52-236ea8855aac"/> <cybox:Observable idref="mandiant:observable-30a990db-845c-4cbf-80b9-8b7b2386d7c1"/> <cybox:Observable idref="mandiant:observable-65ef6c0b-c2ef-4a30-8c7a-5530150de278"/> <cybox:Observable idref="mandiant:observable-08bb5155-f98e-4175-ba30-6c408c107d1a"/> <cybox:Observable idref="mandiant:observable-f7a71182-00a1-4f8a-847f-041d74a8cf7e"/> <cybox:Observable idref="mandiant:observable-b6630e04-d583-4c87-8933-368b8c768cdd"/> <cybox:Observable idref="mandiant:observable-f62eda54-fc09-4bf7-8943-63e9cf0dd87f"/> <cybox:Observable idref="mandiant:observable-c9f171c0-75d7-4378-beb7-4a6fa6716b18"/> <cybox:Observable idref="mandiant:observable-5b56e6a4-3d35-447c-967a-585833c67377"/> <cybox:Observable idref="mandiant:observable-044450c1-d0c9-4034-b50a-695ea872f81f"/> <cybox:Observable idref="mandiant:observable-9728541d-9905-4a02-8d45-89dc97f5cbcb"/> <cybox:Observable idref="mandiant:observable-2a058aa9-bcff-49d0-b898-63038cf5655e"/> <cybox:Observable idref="mandiant:observable-6db9a6b4-1875-4a3b-a3a4-63a5701e8e8b"/> <cybox:Observable idref="mandiant:observable-e37a42ad-39b9-4ed7-a8ff-b4f8684943ed"/> <cybox:Observable idref="mandiant:observable-5a737131-9ed6-4547-91ca-30d5dc566db8"/> <cybox:Observable idref="mandiant:observable-b5a329f6-8fc2-489d-87b8-3449788bc351"/> <cybox:Observable idref="mandiant:observable-2415ff42-a418-40b1-8349-ad97ac0b1236"/> <cybox:Observable idref="mandiant:observable-48e392bc-c065-48b0-882e-75fad379fefb"/> <cybox:Observable idref="mandiant:observable-2e22d803-b6c3-4ec7-9e13-5469062c0e38"/> <cybox:Observable idref="mandiant:observable-9fffb9ef-eda3-461f-bf24-b7c8f8013b5c"/> <cybox:Observable idref="mandiant:observable-11c8d961-aaf6-4c39-b5f3-3b9d3045ce3e"/> <cybox:Observable idref="mandiant:observable-4a7d498b-db58-4be5-acb0-921c245b4728"/> <cybox:Observable idref="mandiant:observable-dd7d606f-ffe7-45b6-b8e3-36c8690b0038"/> <cybox:Observable idref="mandiant:observable-b3381a0d-e6ef-4409-b2b0-4baa10e434be"/> <cybox:Observable idref="mandiant:observable-503abed0-b00b-4f4e-94fe-9ebc6abaffdd"/> <cybox:Observable idref="mandiant:observable-58567037-88d8-4110-8af9-23e7b6f3e7ef"/> <cybox:Observable idref="mandiant:observable-c8897027-e093-481e-82db-87357e11d559"/> <cybox:Observable idref="mandiant:observable-33aa7a58-6dc9-4a8a-855d-edf010502466"/> <cybox:Observable idref="mandiant:observable-3af073a8-52c5-48a7-b9c9-ca4e8916e5e6"/> <cybox:Observable idref="mandiant:observable-bfacd096-32e2-44de-9e7d-5ff612fcdb22"/> <cybox:Observable idref="mandiant:observable-23be8553-e380-423b-8b55-4e693b9600c8"/> <cybox:Observable idref="mandiant:observable-0b2a758e-7bc2-4b5d-bfe0-f931eb85ef8d"/> <cybox:Observable idref="mandiant:observable-2edba2c3-8ef4-477b-8768-8ff5090f84e4"/> <cybox:Observable idref="mandiant:observable-a279e61c-f3ff-4778-b395-1659b60c3c16"/> <cybox:Observable idref="mandiant:observable-e4ecdcd4-e23f-4ddd-9b7e-0323a11f6e99"/> <cybox:Observable idref="mandiant:observable-919d592f-238f-44f8-ad0f-a5d81e8aa2e7"/> <cybox:Observable idref="mandiant:observable-539af7eb-87df-4d74-8d25-d56f90413850"/> <cybox:Observable idref="mandiant:observable-a79936cb-12fb-4262-92b0-cea2db4901d7"/> <cybox:Observable idref="mandiant:observable-38e8480a-845d-452d-aef9-3b4eb29ca675"/> <cybox:Observable idref="mandiant:observable-8ed59326-294f-4c1a-aee1-6ef2fa1ee6ca"/> <cybox:Observable idref="mandiant:observable-b220f7cc-74e0-413e-a4f7-550f6937ec5e"/> <cybox:Observable idref="mandiant:observable-a477bfb8-74ce-4ffe-940d-6b5d17430959"/> <cybox:Observable idref="mandiant:observable-9f6c79fb-8a62-4024-8b6d-49563dbfe2a2"/> <cybox:Observable idref="mandiant:observable-4bde46ca-96a1-46ef-9ad1-ba3ee503d463"/> <cybox:Observable idref="mandiant:observable-0eb42182-ba04-4cf0-b139-9847a52d6698"/> <cybox:Observable idref="mandiant:observable-f41124ad-3629-449f-b6da-bcb4bb52433d"/> <cybox:Observable idref="mandiant:observable-d7b99f36-17cb-4c1b-a0a2-d17507b4104c"/> <cybox:Observable idref="mandiant:observable-eb37ece6-6f30-4dac-a297-910bdc1a334d"/> <cybox:Observable idref="mandiant:observable-0620bee8-aaf8-4747-ac24-5f300d266ac5"/> <cybox:Observable idref="mandiant:observable-53b3e98b-08ed-4b90-8595-dc16dbb2e0c7"/> <cybox:Observable idref="mandiant:observable-ad644aea-2dc8-4768-aa11-731b8ffa54ff"/> <cybox:Observable idref="mandiant:observable-7ebca5f2-2b13-4422-9bb1-b63d1eb04a22"/> <cybox:Observable idref="mandiant:observable-ab8860f7-0ef1-4933-bd94-9501717aa348"/> <cybox:Observable idref="mandiant:observable-5f3d57ff-610b-48c2-8417-1dd10dad9939"/> <cybox:Observable idref="mandiant:observable-e7039ae1-5b5b-4908-8e82-bd78769cfc9a"/> <cybox:Observable idref="mandiant:observable-f3742769-61fb-4de7-b257-fcc60a01507e"/> <cybox:Observable idref="mandiant:observable-60fc1671-3ae4-4aeb-b222-0899d1b5888f"/> <cybox:Observable idref="mandiant:observable-df92717a-a7ea-4afc-b7b9-a523b19b4324"/> <cybox:Observable idref="mandiant:observable-d41a75fd-8083-4b7a-9f1a-a514146a079a"/> <cybox:Observable idref="mandiant:observable-a1fc93dd-571c-403e-9eda-94a190489687"/> <cybox:Observable idref="mandiant:observable-aa42802b-6766-4cda-84d5-595e384b39ec"/> <cybox:Observable idref="mandiant:observable-2d663d81-6681-4deb-b7ef-4e6c710b3dcf"/> <cybox:Observable idref="mandiant:observable-d7762c98-0dd0-4c9a-a449-9043e6510c70"/> <cybox:Observable idref="mandiant:observable-e21f4677-be4d-456b-a847-08e0e6c39b0f"/> <cybox:Observable idref="mandiant:observable-bcd34f8a-8828-479d-bbfd-f371ae439606"/> <cybox:Observable idref="mandiant:observable-a63d9d35-d375-4c88-8d5b-0becafd94da0"/> <cybox:Observable idref="mandiant:observable-72dda272-72e5-4009-b0cd-559b1dab182f"/> <cybox:Observable idref="mandiant:observable-22bda1e4-5ed4-4212-86a9-a62172dec217"/> <cybox:Observable idref="mandiant:observable-d76a0387-eb69-472b-98ea-ee4b3ecb13d3"/> <cybox:Observable idref="mandiant:observable-1c31343b-beaf-41ab-b954-7602eb7e5c5c"/> <cybox:Observable idref="mandiant:observable-d6c354bb-9b63-48d3-8d7f-a82811cc9ffb"/> <cybox:Observable idref="mandiant:observable-d40244c9-69f3-4e20-a945-4d30ce050392"/> <cybox:Observable idref="mandiant:observable-b0a048ce-a039-4498-855c-f26b4f2cecfb"/> <cybox:Observable idref="mandiant:observable-097e4f85-860b-49d1-b37a-701bbeb59345"/> <cybox:Observable idref="mandiant:observable-21967ba1-c2d1-4d0c-9669-064a02d2d0da"/> <cybox:Observable idref="mandiant:observable-ea548f23-0490-492a-b7fc-2c7b69f8edb8"/> <cybox:Observable idref="mandiant:observable-4e3d7037-392f-466a-82ff-8dad6a4aeecc"/> <cybox:Observable idref="mandiant:observable-64f6473e-ce8c-4a26-ac08-1babd0cda245"/> <cybox:Observable idref="mandiant:observable-28447a30-760f-4804-8d4d-1d8ecb843328"/> <cybox:Observable idref="mandiant:observable-ff742dd5-23da-44d3-b2dc-a2df5dcc688f"/> <cybox:Observable idref="mandiant:observable-c8670f17-d6cb-4b86-8fa7-0c9db006b143"/> <cybox:Observable idref="mandiant:observable-100ef811-c6bd-436c-8909-d051eca97bc6"/> <cybox:Observable idref="mandiant:observable-3ad926e8-236a-42c1-b6c5-f4649b94a563"/> <cybox:Observable idref="mandiant:observable-5d129eb0-7dc9-4d5f-b323-56ec74f8a859"/> <cybox:Observable idref="mandiant:observable-60bf3398-cd2d-43ae-bd8a-423a87125e67"/> <cybox:Observable idref="mandiant:observable-1251ad3a-36cc-46df-b867-5b999c950d37"/> <cybox:Observable idref="mandiant:observable-7c63fc4c-c42d-4400-92ca-7e5d9f439d7f"/> <cybox:Observable idref="mandiant:observable-70888c05-d5fb-4161-9f11-c061aaca8e25"/> <cybox:Observable idref="mandiant:observable-663ea2a0-6c4d-4fdb-b1c4-84e444fb5090"/> <cybox:Observable idref="mandiant:observable-4a513012-d94c-4147-8817-ed0a60abdbad"/> <cybox:Observable idref="mandiant:observable-8f21de18-1b81-4553-9fa3-2af23053842c"/> <cybox:Observable idref="mandiant:observable-a6eb457c-fe70-43fc-8f4e-606c7d417f1b"/> <cybox:Observable idref="mandiant:observable-b6ed3588-18fc-4c76-b53b-c01aabdd5f92"/> <cybox:Observable idref="mandiant:observable-4a5c4267-9edd-47ee-8945-20e24278834e"/> <cybox:Observable idref="mandiant:observable-0bb5a610-2702-4862-a664-f6db36f3947b"/> <cybox:Observable idref="mandiant:observable-1e7493c7-a12b-4978-b657-fd1b90314d12"/> <cybox:Observable idref="mandiant:observable-5c5b382e-cdfd-469e-a024-4e52db2e423b"/> <cybox:Observable idref="mandiant:observable-edca262c-6b9e-4d7a-80ad-c8abff8668b2"/> <cybox:Observable idref="mandiant:observable-4da666d4-0544-433a-9942-5e3037941347"/> <cybox:Observable idref="mandiant:observable-40c51ba7-3b1d-4f63-b2b2-eba5b0a3075f"/> <cybox:Observable idref="mandiant:observable-e2dfd549-70d0-4334-b2cf-37bb7ba61d4e"/> <cybox:Observable idref="mandiant:observable-1eb256c6-771b-482a-b2e4-1adcc4be3e49"/> <cybox:Observable idref="mandiant:observable-523fdee8-4585-44d7-a09a-f3759fa9d3bb"/> <cybox:Observable idref="mandiant:observable-c906b618-c178-4359-9c21-d6ab01c5f216"/> <cybox:Observable idref="mandiant:observable-476fdea7-906d-4da0-8fa9-237e02ae8ddb"/> <cybox:Observable idref="mandiant:observable-0a30ed8a-70af-48a8-8a0a-ed25d5a4230c"/> <cybox:Observable idref="mandiant:observable-89cdc57a-f38f-464f-a759-53cf31f216f3"/> <cybox:Observable idref="mandiant:observable-549bb9fe-d79e-4cba-9eaa-6ccd0be147a1"/> <cybox:Observable idref="mandiant:observable-816c7fc0-fbc9-4994-898e-49cb1cdc7c5d"/> <cybox:Observable idref="mandiant:observable-05c6d75d-cc7e-4d43-afed-2f5851f3a202"/> <cybox:Observable idref="mandiant:observable-9da6a4f2-5c4f-4ad8-9827-5d544381f9a0"/> <cybox:Observable idref="mandiant:observable-dbf1e175-bcd9-4132-8b2f-be7398504c21"/> <cybox:Observable idref="mandiant:observable-068c2755-2a59-4e26-b2f2-62ba735d8651"/> <cybox:Observable idref="mandiant:observable-32180006-a3cd-41f3-b13f-7395af4d46e2"/> <cybox:Observable idref="mandiant:observable-5766bb13-64b5-4aec-a10d-4c92a044888a"/> <cybox:Observable idref="mandiant:observable-577c1afb-6741-47a6-ae85-82867f176a80"/> <cybox:Observable idref="mandiant:observable-9d91eda7-c3d9-464b-af83-f71e4b14a842"/> <cybox:Observable idref="mandiant:observable-4f87c102-e2d7-41ba-864b-6d8a2e1f2aac"/> <cybox:Observable idref="mandiant:observable-fb0db4fb-6694-4626-9d3a-7a25960bf4e9"/> <cybox:Observable idref="mandiant:observable-2c84422e-c3cb-4273-8ce8-ccde31ac8f6d"/> <cybox:Observable idref="mandiant:observable-3abd846c-45c9-45f5-aadb-b2a4acc70289"/> <cybox:Observable idref="mandiant:observable-862e3e8b-4964-48fb-9f70-ff4be36151ed"/> <cybox:Observable idref="mandiant:observable-b5a25419-7c45-46ab-a4cf-27f2308eee21"/> <cybox:Observable idref="mandiant:observable-b9ab076b-3b64-4dae-89d9-45072a19b699"/> <cybox:Observable idref="mandiant:observable-81481e39-64c8-4cac-80fc-524f71b30134"/> <cybox:Observable idref="mandiant:observable-5c9e8984-59cd-42b5-8b04-5df58cee48e0"/> <cybox:Observable idref="mandiant:observable-bb42a513-9b0d-4980-940a-9e75d761f361"/> <cybox:Observable idref="mandiant:observable-e6c0075b-6ddb-4a36-b0d4-3a3ac298dccf"/> <cybox:Observable idref="mandiant:observable-bb477ea0-f188-4c7a-b10e-536879f819be"/> <cybox:Observable idref="mandiant:observable-18b42ff6-3ff5-4c01-9700-13d9dbfb1bfe"/> <cybox:Observable idref="mandiant:observable-69abccad-1c5d-4427-ae3f-bb89a1f287af"/> <cybox:Observable idref="mandiant:observable-4f4b5ccc-dba5-4b38-95c1-c7a80c9cbd55"/> <cybox:Observable idref="mandiant:observable-3840e8b2-2d18-4689-94fb-990ff594169d"/> <cybox:Observable idref="mandiant:observable-94a2f411-294c-41e0-abe1-3ccc21f5844f"/> <cybox:Observable idref="mandiant:observable-511c616e-81ed-405f-9dd8-c104b85418f7"/> <cybox:Observable idref="mandiant:observable-6752f4d4-f141-4af0-a8e3-723b4701e315"/> <cybox:Observable idref="mandiant:observable-d827d88a-389b-47c9-a159-25bb46437633"/> <cybox:Observable idref="mandiant:observable-b5d981cc-6185-4d03-abdb-19862ab8d527"/> <cybox:Observable idref="mandiant:observable-99b0c203-fbaf-4183-ae63-48d0c03a7a81"/> <cybox:Observable idref="mandiant:observable-b72e9e6f-f135-44cd-8e38-60ffd2000af7"/> <cybox:Observable idref="mandiant:observable-e51dac46-9e38-40cd-bd9e-cf9389335a9b"/> <cybox:Observable idref="mandiant:observable-92f27bf2-cb73-4afb-b6bc-aeb93af236f0"/> <cybox:Observable idref="mandiant:observable-fc847913-f158-46a4-add6-d0aed12df4e9"/> <cybox:Observable idref="mandiant:observable-82513330-ebdd-470d-b685-8ce6bb1d0e40"/> <cybox:Observable idref="mandiant:observable-4933aae2-b99b-41b4-b654-0238c60a6570"/> <cybox:Observable idref="mandiant:observable-571eceed-e749-47c9-816d-34514ae8f5ce"/> <cybox:Observable idref="mandiant:observable-731a7370-2ef4-47ec-b6cb-0411aebc569a"/> <cybox:Observable idref="mandiant:observable-11d72f66-8aad-4b9c-b89e-51294de134fa"/> <cybox:Observable idref="mandiant:observable-890885aa-18c6-4b74-b0c7-a0bd1a3fbe53"/> <cybox:Observable idref="mandiant:observable-6eb51a17-ac61-43b4-b143-702960315b01"/> <cybox:Observable idref="mandiant:observable-f0acb752-f234-49da-856b-c4487188f8d5"/> <cybox:Observable idref="mandiant:observable-cb922a65-89da-40a4-af9a-db39ba0d5583"/> <cybox:Observable idref="mandiant:observable-1cf863d3-59e1-437c-b7ad-dd88da1aff34"/> <cybox:Observable idref="mandiant:observable-b7bc323b-eeb8-4da1-ad82-0bbd909840c2"/> <cybox:Observable idref="mandiant:observable-e1cf1ca2-3b82-4499-a464-27d411fba154"/> <cybox:Observable idref="mandiant:observable-10cdbd63-b615-43ba-906f-3ff38e20f666"/> <cybox:Observable idref="mandiant:observable-289a5c12-ab3d-4d16-a4e2-7f86a170dc70"/> <cybox:Observable idref="mandiant:observable-197c995d-798b-4c39-ac93-8a709c27fae0"/> <cybox:Observable idref="mandiant:observable-634443c8-e62a-4ab1-9508-5ad706983db4"/> <cybox:Observable idref="mandiant:observable-0f45ef31-8176-4181-842d-b44e0f860613"/> <cybox:Observable idref="mandiant:observable-7e925178-0290-4676-b6ea-5c968af2989f"/> <cybox:Observable idref="mandiant:observable-03019da0-4e35-44a9-8bf6-c0134cce58e5"/> <cybox:Observable idref="mandiant:observable-46df33f3-bff7-48b2-9545-9dea89b2b94f"/> <cybox:Observable idref="mandiant:observable-e8870f2d-6496-48ea-b50c-14d2f2791c2c"/> <cybox:Observable idref="mandiant:observable-13c7ff58-1d87-4898-96a0-98ad886763e2"/> <cybox:Observable idref="mandiant:observable-77dcc436-2e07-47c7-ae81-7fb7cf50a00a"/> <cybox:Observable idref="mandiant:observable-3eff6eba-23e3-4a00-bdac-87d1992d58fb"/> <cybox:Observable idref="mandiant:observable-ff53cd17-3267-44fe-af63-ae0859a26161"/> <cybox:Observable idref="mandiant:observable-bc60be82-0891-46be-8dd4-1f2447464e33"/> <cybox:Observable idref="mandiant:observable-da0cc592-b519-47c3-90fd-a9b9dd694e3c"/> <cybox:Observable idref="mandiant:observable-67c82cfd-e7a3-42dc-87ae-6a626509473e"/> <cybox:Observable idref="mandiant:observable-b1a94d3c-71a2-4cd3-bf7c-fbd146f3ec75"/> <cybox:Observable idref="mandiant:observable-f810aca4-4035-4630-9b91-f9a2b08b5d49"/> <cybox:Observable idref="mandiant:observable-d3234aca-7aa1-477b-a767-873e569d15f0"/> <cybox:Observable idref="mandiant:observable-9c596030-7a74-4293-8513-e7bcb9bc2138"/> <cybox:Observable idref="mandiant:observable-c4ed36db-92b3-4c62-af77-925e69929e5d"/> <cybox:Observable idref="mandiant:observable-4669a304-91b2-4882-b79a-4e3e54fdf162"/> <cybox:Observable idref="mandiant:observable-55dc3ac8-da7c-4158-91c1-1b1b6f02269c"/> <cybox:Observable idref="mandiant:observable-c18bf4e6-71c9-4a60-9e8c-c896582d65fd"/> <cybox:Observable idref="mandiant:observable-d124c4c2-a338-48b3-b7c7-9eb1987f4f21"/> <cybox:Observable idref="mandiant:observable-a98a90bc-e817-4985-ba97-1a18a4aa1790"/> <cybox:Observable idref="mandiant:observable-aca8b54d-9576-414f-994b-2440455093b4"/> <cybox:Observable idref="mandiant:observable-dc662c94-c50f-44ba-99c4-a0b4f4df4d73"/> <cybox:Observable idref="mandiant:observable-08060761-ace3-47c9-b091-1f41a8d335a2"/> <cybox:Observable idref="mandiant:observable-960e594f-6f05-44c7-85b5-eaa2c696f419"/> <cybox:Observable idref="mandiant:observable-5182a2da-a3ed-4dae-aebb-aabe3dad350d"/> <cybox:Observable idref="mandiant:observable-6f191ca4-9764-4b9a-ac98-091565e1d76e"/> <cybox:Observable idref="mandiant:observable-5f7bc992-2cb5-4de3-8f83-090e6dba53e7"/> <cybox:Observable idref="mandiant:observable-40b37830-e5a6-4c7d-98c7-952c9b25d4ce"/> <cybox:Observable idref="mandiant:observable-8fac18cc-a583-4c19-af3c-277390909c1d"/> <cybox:Observable idref="mandiant:observable-1014039c-105b-4461-a51e-6836ecbc1d1d"/> <cybox:Observable idref="mandiant:observable-f2f4573e-7377-4252-88da-7539aacb674f"/> <cybox:Observable idref="mandiant:observable-303c96ec-01ef-4f0c-9c62-335ae16c879a"/> <cybox:Observable idref="mandiant:observable-a8f5799b-1b35-4125-802b-e052a5a23605"/> <cybox:Observable idref="mandiant:observable-5e94b2ae-a2bc-4df8-b42d-af92b62a4636"/> <cybox:Observable idref="mandiant:observable-7be68113-1abe-4400-96a7-1975c65afa51"/> <cybox:Observable idref="mandiant:observable-f6cbabdb-f0d4-4a5d-9108-a05ffd2063eb"/> <cybox:Observable idref="mandiant:observable-40d193f4-f81c-4284-b5b7-16fcdcaf11ed"/> <cybox:Observable idref="mandiant:observable-467aa9b4-db05-4af3-8845-6ec7a77edf55"/> <cybox:Observable idref="mandiant:observable-8c74d0c8-4c0a-4ca1-b32e-b5fb7e1f9dff"/> <cybox:Observable idref="mandiant:observable-573e75c3-d30c-4c7e-9eb6-2413e7dae467"/> <cybox:Observable idref="mandiant:observable-6490093a-f01f-46ec-966f-2a253086df2d"/> <cybox:Observable idref="mandiant:observable-8e855941-0540-4666-91c5-cc00f590ef8f"/> <cybox:Observable idref="mandiant:observable-ac9d0ce4-ae62-4bff-8e3e-51700dbd06db"/> <cybox:Observable idref="mandiant:observable-151c88cd-5f32-4907-95e7-634e59e33c2b"/> <cybox:Observable idref="mandiant:observable-cc5d6946-59c1-4051-b4bc-9a75a97b8ed3"/> <cybox:Observable idref="mandiant:observable-05197a99-e93b-4191-88a5-dec580e4a4da"/> <cybox:Observable idref="mandiant:observable-c1ac9cfc-add0-45f7-a05a-4af054cab8df"/> <cybox:Observable idref="mandiant:observable-5cfa6e43-e731-4af2-8c92-1152ba528385"/> <cybox:Observable idref="mandiant:observable-8a6328bf-7339-46ef-9f03-c4c9986717a9"/> <cybox:Observable idref="mandiant:observable-79dbd05c-02f6-461e-9354-b4da65c9ac84"/> <cybox:Observable idref="mandiant:observable-120aca89-0a54-48fb-9f61-9b27ea3127d0"/> <cybox:Observable idref="mandiant:observable-36571da0-b86e-4a08-a614-1a209e1476f6"/> <cybox:Observable idref="mandiant:observable-624e54dd-f951-44b0-a32d-0f34ec8f5c11"/> <cybox:Observable idref="mandiant:observable-09d87a2c-aaee-4208-9493-aa8d1b966aac"/> <cybox:Observable idref="mandiant:observable-1ee8d615-fa0e-4cd2-a197-b71a1c73811e"/> <cybox:Observable idref="mandiant:observable-202bfd6a-5e2a-4282-8615-85cbb1c5e5ca"/> <cybox:Observable idref="mandiant:observable-cf4e1837-80f8-4340-a039-6112da073620"/> <cybox:Observable idref="mandiant:observable-d25ef297-186c-47aa-b8c0-08e28c0ed654"/> <cybox:Observable idref="mandiant:observable-6d6aeacd-647c-4b2f-8be6-b1f4480c5c39"/> <cybox:Observable idref="mandiant:observable-b2cc3245-40de-4429-8269-de0139d36ace"/> <cybox:Observable idref="mandiant:observable-f543db81-7f74-4dff-a9de-dfa1cc476800"/> <cybox:Observable idref="mandiant:observable-82d54287-8843-4d88-89a0-f561287a5568"/> <cybox:Observable idref="mandiant:observable-b5a890ba-533a-4224-844d-ed32e3daa346"/> <cybox:Observable idref="mandiant:observable-21b92127-f165-4bfb-b8e3-63dbf7c1b7e5"/> <cybox:Observable idref="mandiant:observable-9867293c-7dc3-4c9a-8591-7dd9e2674891"/> <cybox:Observable idref="mandiant:observable-383adf55-e7d7-4a7a-9699-ae54e6598cb9"/> <cybox:Observable idref="mandiant:observable-08062389-ed83-4d0b-aacd-561f7c3fb174"/> <cybox:Observable idref="mandiant:observable-14000699-c2ad-4c6b-b094-259cd9efcbc4"/> <cybox:Observable idref="mandiant:observable-6838ff51-0d06-4f6c-b1dd-bf99be6424cc"/> <cybox:Observable idref="mandiant:observable-42ec0996-d428-45e5-842d-b4a4c90ec92b"/> <cybox:Observable idref="mandiant:observable-43782ed2-aa44-4562-8bbb-894ac7754ffb"/> <cybox:Observable idref="mandiant:observable-e76c8a58-5483-4882-b462-ef68dbfa7717"/> <cybox:Observable idref="mandiant:observable-4f65e1f7-1c23-4f52-ac70-82a9f053a547"/> <cybox:Observable idref="mandiant:observable-a700c1db-1286-4db8-afe4-35bec86f7e81"/> <cybox:Observable idref="mandiant:observable-43e387ab-bc3c-401f-8738-17ee4fa5a15e"/> <cybox:Observable idref="mandiant:observable-5edd238d-f621-40c9-9475-89158f136bfe"/> <cybox:Observable idref="mandiant:observable-fb2b2f26-40d9-4062-b8e5-5baed8987804"/> <cybox:Observable idref="mandiant:observable-3af8775b-f6a0-4de0-aba7-d263e9f0474e"/> <cybox:Observable idref="mandiant:observable-a3d25601-5606-4624-8c24-cfec2e18cd80"/> <cybox:Observable idref="mandiant:observable-d67fecea-ecc6-4c8e-9a7f-583c32567205"/> <cybox:Observable idref="mandiant:observable-22c8d8e5-9351-4dcc-a233-e4e5818b71c9"/> <cybox:Observable idref="mandiant:observable-53921f8f-35d1-4e6b-a057-ce73f4f00b8d"/> <cybox:Observable idref="mandiant:observable-cd16bfab-3bb5-400e-a9aa-d1a17338092a"/> <cybox:Observable idref="mandiant:observable-15b4eea7-c8eb-4322-8eef-75b2078392e6"/> <cybox:Observable idref="mandiant:observable-8e3c32af-c36e-4acb-b7a5-12b091950192"/> <cybox:Observable idref="mandiant:observable-c686e148-69ad-4f99-a6c3-0d36fa6b1e96"/> <cybox:Observable idref="mandiant:observable-b5004160-228e-4105-a695-1a9627476a0a"/> <cybox:Observable idref="mandiant:observable-191e83a8-0cdd-4052-a395-1cc4b3547443"/> <cybox:Observable idref="mandiant:observable-8ec427c1-fa53-402e-afd9-80ab8703c845"/> <cybox:Observable idref="mandiant:observable-7a0b2648-bcf0-4ab5-a9fa-9616f684e6c7"/> <cybox:Observable idref="mandiant:observable-99dcaf40-1bb0-4883-8fab-e5ecdd8607ac"/> <cybox:Observable idref="mandiant:observable-07c5761b-2e96-415e-91d8-44fe06ac927a"/> <cybox:Observable idref="mandiant:observable-85d1a437-5e83-4906-b965-354ed4924dc3"/> <cybox:Observable idref="mandiant:observable-acf8afc7-e008-4cda-9c7e-b7446d5901ee"/> <cybox:Observable idref="mandiant:observable-d0771524-73a5-48c8-b8aa-e534cae6ab90"/> <cybox:Observable idref="mandiant:observable-eaad70db-8b22-4e33-a569-d8967be53442"/> <cybox:Observable idref="mandiant:observable-e1030839-4d91-4fb5-8d1a-55aa85bb5425"/> <cybox:Observable idref="mandiant:observable-9ba41a9d-b15f-41ff-adf8-f66b6de632ce"/> <cybox:Observable idref="mandiant:observable-e5511631-bcd7-48ea-90e9-b57607379c15"/> <cybox:Observable idref="mandiant:observable-a72d2656-832d-472f-958f-53af8770f9d7"/> <cybox:Observable idref="mandiant:observable-321f6986-5f70-4f5a-a4f4-c230a3e5f6a3"/> <cybox:Observable idref="mandiant:observable-d8cd2cb3-8ac3-422f-a602-53e3e5f03603"/> <cybox:Observable idref="mandiant:observable-c1199dd1-0a29-42aa-9575-f2f2d8152e3e"/> <cybox:Observable idref="mandiant:observable-427148fb-ede2-44b6-87f5-5ccecae64ea8"/> <cybox:Observable idref="mandiant:observable-08a890c5-8244-43a2-9cfd-8b5dfe8e2375"/> <cybox:Observable idref="mandiant:observable-5b7933a2-322b-4683-af99-fc2e3670affc"/> <cybox:Observable idref="mandiant:observable-0797d25a-bfbe-4b97-98ff-e010d22c3f50"/> <cybox:Observable idref="mandiant:observable-dbc4b449-35db-457f-b9ee-ffded2fd7839"/> <cybox:Observable idref="mandiant:observable-3fc7e909-fdbf-4f07-80c8-434d6871b063"/> <cybox:Observable idref="mandiant:observable-78e55482-13b7-4d7e-be88-8c791471e3c3"/> <cybox:Observable idref="mandiant:observable-ae170f81-a81d-487c-8b04-c07883528123"/> <cybox:Observable idref="mandiant:observable-ac70add4-d1a8-4afd-a0d1-a853cc3b0621"/> <cybox:Observable idref="mandiant:observable-e20bf836-d1cc-4bc5-809d-56fae5cc3750"/> <cybox:Observable idref="mandiant:observable-f519fe0d-64a8-4e78-b7ce-b61e21d8e142"/> <cybox:Observable idref="mandiant:observable-408e3371-1e28-4c70-ae9e-22346bff725d"/> <cybox:Observable idref="mandiant:observable-6680c8c8-94b8-4726-b044-276122132188"/> <cybox:Observable idref="mandiant:observable-3a43b6c8-25ec-40c6-a371-527dc3f09157"/> <cybox:Observable idref="mandiant:observable-7d448a24-25a1-481a-85bc-a31f68d1f541"/> <cybox:Observable idref="mandiant:observable-3601a1b3-1400-4eb3-84f4-2fab1cecd8f9"/> <cybox:Observable idref="mandiant:observable-37bb84d7-4b82-4d1a-9d0c-14870b79f506"/> <cybox:Observable idref="mandiant:observable-16eee0ce-73c8-4a63-a534-5b06963450ad"/> <cybox:Observable idref="mandiant:observable-b3f26321-571e-421e-862f-d418e19bafa8"/> <cybox:Observable idref="mandiant:observable-a1adc445-7f63-4f5d-8b07-06e550d8ddeb"/> <cybox:Observable idref="mandiant:observable-2d25335e-80b3-4b05-bf29-cd4051d2d9ce"/> <cybox:Observable idref="mandiant:observable-0299307f-b6d6-4e33-90c8-640699ab078b"/> <cybox:Observable idref="mandiant:observable-63f8cb7f-2bb6-41a0-a20e-cb65b7df03e3"/> <cybox:Observable idref="mandiant:observable-bcee073b-2aa0-446d-9df3-2e60dc1ec4e1"/> <cybox:Observable idref="mandiant:observable-f784a8db-f918-4317-9ca8-b727d45a1f02"/> <cybox:Observable idref="mandiant:observable-ab1f1988-84f0-435c-9705-e2560fc15178"/> <cybox:Observable idref="mandiant:observable-d1a3937b-b842-4bd0-b440-10933e38cf51"/> <cybox:Observable idref="mandiant:observable-bf1e5c90-7411-4cf1-952d-3cb8957edcaa"/> <cybox:Observable idref="mandiant:observable-65958046-17f0-4020-ac0d-cfb3f162e6dd"/> <cybox:Observable idref="mandiant:observable-58f61fa4-27b6-41c2-85a9-fcf42ff1d4d1"/> <cybox:Observable idref="mandiant:observable-f9e23c6a-6d57-4454-988d-6277c01b9da2"/> <cybox:Observable idref="mandiant:observable-73064b86-b3bf-4e8f-ac8c-4328cfe8e27a"/> <cybox:Observable idref="mandiant:observable-c16f0c10-cbcd-4887-962c-9f69203e2464"/> <cybox:Observable idref="mandiant:observable-ffdd76fa-2a4f-4c64-8567-d34437fc95b8"/> <cybox:Observable idref="mandiant:observable-f6abf31b-046c-4b97-8a2c-e2730c5d1c02"/> <cybox:Observable idref="mandiant:observable-7b73a5da-b774-43e1-9009-3ac306998c40"/> <cybox:Observable idref="mandiant:observable-d621b0bb-3752-4bbd-8cf1-e02f28359314"/> <cybox:Observable idref="mandiant:observable-b36c8593-4b41-46b3-90a9-ff2c856869c1"/> <cybox:Observable idref="mandiant:observable-b8ff6f03-aa00-4b25-8f74-251af63ef7a4"/> <cybox:Observable idref="mandiant:observable-cb0e98b4-0169-4058-9541-edcdbead06ae"/> <cybox:Observable idref="mandiant:observable-af556b1d-78d1-4740-92ac-4a5fe8723a74"/> <cybox:Observable idref="mandiant:observable-6d5e4516-3d05-4ba0-934a-6b080110fd1b"/> <cybox:Observable idref="mandiant:observable-ca304672-8046-4f3b-a033-d38d845f6714"/> <cybox:Observable idref="mandiant:observable-6cdcf31b-efe4-4b9c-90cd-87761deabcc0"/> <cybox:Observable idref="mandiant:observable-3e2422bd-fd0c-4575-aec9-5a4c0e6d8f84"/> <cybox:Observable idref="mandiant:observable-e559a0ff-4275-48da-bb2f-d90a0d75d0cf"/> <cybox:Observable idref="mandiant:observable-ac310004-4ceb-41db-8f7f-8ea4700923df"/> <cybox:Observable idref="mandiant:observable-9c209bb5-f2ab-44f3-a518-f89763c9b66a"/> <cybox:Observable idref="mandiant:observable-7ad0528d-91d9-40e7-8d01-920ca28cc8b6"/> <cybox:Observable idref="mandiant:observable-456edb39-0d5c-4adc-ba8b-278d7bed0cad"/> <cybox:Observable idref="mandiant:observable-c29c9ebe-4506-456b-8ffc-3d2cbe4a5e36"/> <cybox:Observable idref="mandiant:observable-b2b647cc-befe-4a2d-82a9-64b5518b78fa"/> <cybox:Observable idref="mandiant:observable-4de9455d-b4f8-4fbe-b706-101511d6adb0"/> <cybox:Observable idref="mandiant:observable-b2cf2de9-b2e6-478e-8260-696c07f7c858"/> <cybox:Observable idref="mandiant:observable-07acd0ad-effe-40c1-9143-b59ee65cdc82"/> <cybox:Observable idref="mandiant:observable-61ab04b2-835a-49e1-b48f-f2892a364a70"/> <cybox:Observable idref="mandiant:observable-3bfabbc3-2613-4e70-9864-55928eff4046"/> <cybox:Observable idref="mandiant:observable-ece468aa-3ae7-41e2-b655-82c9bf7ae315"/> <cybox:Observable idref="mandiant:observable-09c0befb-e39d-4ce5-9598-b079759eb60e"/> <cybox:Observable idref="mandiant:observable-461423f7-2d3d-487b-a28e-f809412cc841"/> <cybox:Observable idref="mandiant:observable-f3c52374-9e6e-4d0a-8eb5-0f8b0bf2b600"/> <cybox:Observable idref="mandiant:observable-de464108-ff1b-43e1-9a9d-a2fa3a0cc48c"/> <cybox:Observable idref="mandiant:observable-9b46173f-f99b-4fd4-9ede-672d412f9274"/> <cybox:Observable idref="mandiant:observable-37f16d0e-697d-482d-bf13-2f747f849b54"/> <cybox:Observable idref="mandiant:observable-d0c8e2c2-cf76-44dd-afb1-fcb042e5b830"/> <cybox:Observable idref="mandiant:observable-099663c2-ecb6-492d-8fa3-5868277c0ce5"/> <cybox:Observable idref="mandiant:observable-d9b5ddbb-4673-4a2f-855a-65e4a56ca940"/> <cybox:Observable idref="mandiant:observable-fa82306a-4865-4811-bf4b-8b8dab22ba04"/> <cybox:Observable idref="mandiant:observable-2a7e7340-2701-4635-90ae-335593798d87"/> <cybox:Observable idref="mandiant:observable-f9da710e-16aa-4155-9649-7138eb6f706d"/> <cybox:Observable idref="mandiant:observable-5efbf792-7229-451f-bef1-3580de79d99f"/> <cybox:Observable idref="mandiant:observable-bff734c9-fc24-4a98-bfa9-97aba5a23ab7"/> <cybox:Observable idref="mandiant:observable-11613394-2a83-4e3e-a371-1a5209c2545a"/> <cybox:Observable idref="mandiant:observable-8e305cdc-46cb-49af-9072-e1687ecd6535"/> <cybox:Observable idref="mandiant:observable-6ddc8685-a57c-47ee-88a9-9d6caf2ef3a9"/> <cybox:Observable idref="mandiant:observable-e272e639-d854-48b1-85b4-729d1f3412e1"/> <cybox:Observable idref="mandiant:observable-cc9bb9f9-a23b-4515-8335-21cf84d3144e"/> <cybox:Observable idref="mandiant:observable-f5fc9e99-316c-4ae8-8f3e-84772f78898f"/> <cybox:Observable idref="mandiant:observable-b829355c-8ac2-4229-8880-922a66ffa047"/> <cybox:Observable idref="mandiant:observable-7a99942e-d13d-47ef-8ffc-61f123f8a5dc"/> <cybox:Observable idref="mandiant:observable-dd7dbf24-1aa2-4191-81eb-a0021aa207d7"/> <cybox:Observable idref="mandiant:observable-87dc59c7-5a89-4076-acc5-efe198b49386"/> <cybox:Observable idref="mandiant:observable-7dd519d0-093f-407f-b464-ac494065beed"/> <cybox:Observable idref="mandiant:observable-1f2ecedb-7b3b-4f93-b15a-34019332a313"/> <cybox:Observable idref="mandiant:observable-d19ffaa5-d99d-45e7-85cf-f4faf0608147"/> <cybox:Observable idref="mandiant:observable-165af123-f86a-46fd-97d9-52291b7d5017"/> <cybox:Observable idref="mandiant:observable-d8dc58d8-bf6d-4001-bd27-075dafdc0459"/> <cybox:Observable idref="mandiant:observable-24a7c3af-87f9-4924-8e72-6a42a3b805fa"/> <cybox:Observable idref="mandiant:observable-93015983-823d-43d8-85a7-fb8fa98cf7aa"/> <cybox:Observable idref="mandiant:observable-140916f8-ff79-4551-8961-8e859cbebd84"/> <cybox:Observable idref="mandiant:observable-c828af97-234b-4fd9-9798-904962074ee4"/> <cybox:Observable idref="mandiant:observable-32ee351e-454d-418c-98e8-9b7d8ef8127c"/> <cybox:Observable idref="mandiant:observable-f963988d-2e86-4acb-a573-a4e762417934"/> <cybox:Observable idref="mandiant:observable-cbd3d3bd-d8db-444c-9269-7d6b3251ed0b"/> <cybox:Observable idref="mandiant:observable-a0383e59-8359-47bf-94ab-186146bf6607"/> <cybox:Observable idref="mandiant:observable-261f110d-fa04-4ed1-95e8-8c90ff010652"/> <cybox:Observable idref="mandiant:observable-2ed2480e-1ba5-4fcb-a039-c0ded1145a0d"/> <cybox:Observable idref="mandiant:observable-0d2e918e-637b-4abe-ab70-a8e9203bf4fa"/> <cybox:Observable idref="mandiant:observable-a0b7a583-c221-4133-8b05-bdf11fe9c3fd"/> <cybox:Observable idref="mandiant:observable-cbcf3f56-bf7a-4f53-8ca3-3e7a8d39b3e1"/> <cybox:Observable idref="mandiant:observable-68b40394-3e93-4d71-9d7e-e893d61f9a1e"/> <cybox:Observable idref="mandiant:observable-de395497-eabf-4d17-bbc4-344546d92bf4"/> <cybox:Observable idref="mandiant:observable-412dc589-3186-41a7-acbb-fe76f1af2e84"/> <cybox:Observable idref="mandiant:observable-6ba4376b-78a3-4f87-96fd-9a5adda26d63"/> <cybox:Observable idref="mandiant:observable-96c5afb9-5e53-4cf6-a9b3-7a75bd7ff859"/> <cybox:Observable idref="mandiant:observable-a2b9fb4d-e28f-43b7-93fc-ddc855e8399f"/> <cybox:Observable idref="mandiant:observable-a7f057f3-97a1-4c7a-8168-28102a68bf9c"/> <cybox:Observable idref="mandiant:observable-1241a277-5fff-4d2e-8805-e71ea2ab1a4f"/> <cybox:Observable idref="mandiant:observable-d0079169-d149-404e-84a9-a02387d18b37"/> <cybox:Observable idref="mandiant:observable-bca5a60c-0b21-42f4-94ba-213bc4bd0edc"/> <cybox:Observable idref="mandiant:observable-1e89cfa2-ffe7-46cc-9b04-abf39ef5adfa"/> <cybox:Observable idref="mandiant:observable-f99ef512-181c-4b98-8bbd-7331b16951e8"/> <cybox:Observable idref="mandiant:observable-b657df39-9a41-4886-8f41-4bf19c8e1aaa"/> <cybox:Observable idref="mandiant:observable-ea45b183-0aed-4345-b536-d87a43145beb"/> <cybox:Observable idref="mandiant:observable-8047965d-a942-4e6d-b51e-33dffb2e0bcd"/> <cybox:Observable idref="mandiant:observable-55ab17de-e022-4a7d-96cd-98b1e6c2aa49"/> <cybox:Observable idref="mandiant:observable-d6f80663-1fa7-4e9f-aa16-f02dbdc363df"/> <cybox:Observable idref="mandiant:observable-bdbac1c0-2d8b-4714-8757-2e3f82cd17c4"/> <cybox:Observable idref="mandiant:observable-c377cc91-f48d-4d1a-99bb-656cf3b706d7"/> <cybox:Observable idref="mandiant:observable-15195f31-be5e-4e16-9d30-6f3db6107b28"/> <cybox:Observable idref="mandiant:observable-5da94f8b-0a61-4229-9649-031bcc12e942"/> <cybox:Observable idref="mandiant:observable-aae5b567-4ab7-4fb2-98c8-cf684b2ad9aa"/> <cybox:Observable idref="mandiant:observable-27b93d21-246e-4a67-b099-e105dec428c3"/> <cybox:Observable idref="mandiant:observable-c80c0b77-8f85-444b-8b25-91cb89daaf23"/> <cybox:Observable idref="mandiant:observable-bba92888-f287-481d-afa9-f41c1f2324d1"/> <cybox:Observable idref="mandiant:observable-95724da5-c00f-4aa4-98e2-811d28dafe35"/> <cybox:Observable idref="mandiant:observable-aaad91e6-b2d7-46d8-8e26-afb74292e14b"/> <cybox:Observable idref="mandiant:observable-75bcbb10-444e-4af6-9ded-45136b5b2199"/> <cybox:Observable idref="mandiant:observable-ab0ff0cb-b591-4dbc-852d-0b6c023738a6"/> <cybox:Observable idref="mandiant:observable-9dbcdf25-be33-4433-9451-cd1594895c2b"/> <cybox:Observable idref="mandiant:observable-17e0c2b6-f87c-4ec9-9535-5e4e084a1659"/> <cybox:Observable idref="mandiant:observable-60ec0c3f-9729-4a8a-b34d-732951737b77"/> <cybox:Observable idref="mandiant:observable-43633d51-6eea-47f8-bb88-2b612cc8bc1e"/> <cybox:Observable idref="mandiant:observable-f1d15860-1f3d-4617-8f48-3be336bfa1f6"/> <cybox:Observable idref="mandiant:observable-4fd558fc-f3a9-45d0-affe-b0d751327ce8"/> <cybox:Observable idref="mandiant:observable-5148c205-0c23-4598-b620-0693e63a4c41"/> <cybox:Observable idref="mandiant:observable-8fd1c9ac-5b0d-4b4a-a421-072021d1b4b2"/> <cybox:Observable idref="mandiant:observable-ceb7a04d-314f-4436-8b11-9bdfe200e22f"/> <cybox:Observable idref="mandiant:observable-5ee5573c-3833-45b6-a5a5-d52846fd6eaf"/> <cybox:Observable idref="mandiant:observable-2a80e6d7-fa63-446b-82d6-9c45c250326c"/> <cybox:Observable idref="mandiant:observable-d4ec4576-ff12-4456-8ccc-248b18672a4e"/> <cybox:Observable idref="mandiant:observable-cdc827e8-5a3a-42b6-bbad-e8e4489f3616"/> <cybox:Observable idref="mandiant:observable-46890225-6097-4468-9620-c5572c663a22"/> <cybox:Observable idref="mandiant:observable-b2af7f69-e2b7-479c-a8e9-41f755058158"/> <cybox:Observable idref="mandiant:observable-1fa8eb07-242a-468d-b792-733bdf12a6f3"/> <cybox:Observable idref="mandiant:observable-4aa84fae-cfed-490f-8325-29ce00097afd"/> <cybox:Observable idref="mandiant:observable-a51199a5-b5ac-4b88-878f-75df9dfe7dc4"/> <cybox:Observable idref="mandiant:observable-617f3e64-5fdd-4ae0-bc06-cbd12ce8f7f0"/> <cybox:Observable idref="mandiant:observable-b0f37fe1-4464-4e35-b378-a9ce2965f672"/> <cybox:Observable idref="mandiant:observable-091bdb12-ebc2-4e1a-a8c4-c548aba4a650"/> <cybox:Observable idref="mandiant:observable-ce6169d0-3325-46a9-9c98-11cf6f780f5e"/> <cybox:Observable idref="mandiant:observable-90fae1d7-2cc6-4f4e-b471-2b9dea012c1a"/> <cybox:Observable idref="mandiant:observable-7f004670-d978-4a24-8431-675d2290bdc2"/> <cybox:Observable idref="mandiant:observable-c0f7ed6a-c672-4f95-a00f-71f795282657"/> <cybox:Observable idref="mandiant:observable-af13e5f2-8cf3-45bb-bc87-21d778b4f26a"/> <cybox:Observable idref="mandiant:observable-6350d73a-0cf9-4e3c-a704-5eee07be7256"/> <cybox:Observable idref="mandiant:observable-e4dab820-2e18-4a8b-b8a0-5b1248582917"/> <cybox:Observable idref="mandiant:observable-c1b8c1c7-c06d-4b63-9cd5-d2e7aa87fb21"/> <cybox:Observable idref="mandiant:observable-22057da1-b30a-4599-b4bb-38cf23fbb901"/> <cybox:Observable idref="mandiant:observable-2e42b550-bc10-49d6-a825-f874c6e14c04"/> <cybox:Observable idref="mandiant:observable-72a5ab60-1f47-424d-813b-ae65a758e225"/> <cybox:Observable idref="mandiant:observable-bd8f33e8-6a47-4dcf-896c-5225c02a8bd9"/> <cybox:Observable idref="mandiant:observable-b9b87ccc-5aa2-4554-824d-787a850b7dac"/> <cybox:Observable idref="mandiant:observable-a0bfe4f6-d8df-4d11-876b-08ef669b4553"/> <cybox:Observable idref="mandiant:observable-aa1b340c-5e61-4f8f-9f21-8e87e14fdaaa"/> <cybox:Observable idref="mandiant:observable-5227b863-03a0-40f4-9fd2-8004d33de622"/> <cybox:Observable idref="mandiant:observable-b206336f-db82-4f51-a590-cf497a53eb6d"/> <cybox:Observable idref="mandiant:observable-318ccd10-f142-4ab1-a8b5-93f87f1664fd"/> <cybox:Observable idref="mandiant:observable-67cb8837-c241-494f-a7c4-f10bac886793"/> <cybox:Observable idref="mandiant:observable-b78e17ba-ebb5-448d-8e9e-c120e64f337a"/> <cybox:Observable idref="mandiant:observable-e002b6cf-c28e-402a-b5d0-d4c3e5e69e66"/> <cybox:Observable idref="mandiant:observable-4ac95aef-22ec-493e-a823-83507bc603e1"/> <cybox:Observable idref="mandiant:observable-a8d538dd-06c7-4a41-8b60-cad319d1ca2b"/> <cybox:Observable idref="mandiant:observable-5d888420-4bb5-4529-a187-d3413ffb84a4"/> <cybox:Observable idref="mandiant:observable-7b9f4be6-3c98-4e31-bcc8-f7ebaaa7d949"/> <cybox:Observable idref="mandiant:observable-862fa956-62d3-4aaa-a150-b40a1b3cdc01"/> <cybox:Observable idref="mandiant:observable-458b59bf-74af-44cc-9b41-e197cc79bd8a"/> <cybox:Observable idref="mandiant:observable-d02c2fc9-6726-4f1e-97e6-20f07fb0bd03"/> <cybox:Observable idref="mandiant:observable-9f4be87c-6055-4c18-8579-9bd9f9d051c4"/> <cybox:Observable idref="mandiant:observable-aaff5b41-1bc2-44bd-a983-e7e854200486"/> <cybox:Observable idref="mandiant:observable-460a7ef7-bac5-4457-8dc6-ada51fd21423"/> <cybox:Observable idref="mandiant:observable-e16f0a1c-d951-4e28-9f5b-b82769c8e849"/> <cybox:Observable idref="mandiant:observable-f08b5df1-8bf5-410a-b0e4-e1ddb59ba5d0"/> <cybox:Observable idref="mandiant:observable-df7d4c5f-4284-490a-a305-184b0bc6c36e"/> <cybox:Observable idref="mandiant:observable-f1a53a6b-b07a-42c0-a536-52fc85ea504e"/> <cybox:Observable idref="mandiant:observable-68314bc8-d123-474b-b099-307be8444ebd"/> <cybox:Observable idref="mandiant:observable-45be3930-807e-4944-81cc-056f84180d17"/> <cybox:Observable idref="mandiant:observable-47b65690-b881-434a-aa51-eaef07b2d1d3"/> <cybox:Observable idref="mandiant:observable-55ee87cf-467c-45d9-8193-e06417c649da"/> <cybox:Observable idref="mandiant:observable-e4c52af8-1b7a-4445-85f7-27be4bacf0c4"/> <cybox:Observable idref="mandiant:observable-73a5f71c-d892-4314-a09a-f3825878f366"/> <cybox:Observable idref="mandiant:observable-4096f69a-e7df-42dd-b074-5a6d8d3bb7d8"/> <cybox:Observable idref="mandiant:observable-fc68080d-e355-4e8a-a364-0fa53212491d"/> <cybox:Observable idref="mandiant:observable-c1add49c-34fa-45bc-8cba-3bb3b6b94d36"/> <cybox:Observable idref="mandiant:observable-4de1e7fa-5a91-48c3-83bb-3ad3df36f9a8"/> <cybox:Observable idref="mandiant:observable-16d2c8e0-8743-47d9-b0ff-11334904bc98"/> <cybox:Observable idref="mandiant:observable-48884b2b-ad30-4db8-8f3c-581f22d62b90"/> <cybox:Observable idref="mandiant:observable-8232c084-291c-4708-8621-630359641277"/> <cybox:Observable idref="mandiant:observable-182b86fb-ffec-4448-816f-e25e0ba3e927"/> <cybox:Observable idref="mandiant:observable-1ecb09bf-e519-408d-a92a-4bec3ef167b1"/> <cybox:Observable idref="mandiant:observable-469d5a32-a749-4e77-801f-28c5fe0f0121"/> <cybox:Observable idref="mandiant:observable-fd7d9f58-aa4a-4fa0-bbd5-6ed59aa9a8ab"/> <cybox:Observable idref="mandiant:observable-22eec523-087c-4b59-902c-b2a5f1df45f0"/> <cybox:Observable idref="mandiant:observable-677903f5-6e57-4b39-b290-151ba6e64fed"/> <cybox:Observable idref="mandiant:observable-1e1b5109-1c26-47f3-b27f-e3da4d1bf5dd"/> <cybox:Observable idref="mandiant:observable-67dc9478-25b9-44eb-bb64-e7849b9eea43"/> <cybox:Observable idref="mandiant:observable-69efd08f-e2f8-4cad-8cf8-d223be8ccdd9"/> <cybox:Observable idref="mandiant:observable-f6040ecd-84ef-4406-9997-0ffdfc6532e1"/> <cybox:Observable idref="mandiant:observable-05f84536-25ed-4200-bc4e-85854a2520bf"/> <cybox:Observable idref="mandiant:observable-99592600-6255-43e4-bdca-68c6e8d1d0fe"/> <cybox:Observable idref="mandiant:observable-0a172ac5-81f9-4e74-b7fc-e8fd3b156ff6"/> <cybox:Observable idref="mandiant:observable-5f3ca7cf-f431-4d67-874d-ce0429742120"/> <cybox:Observable idref="mandiant:observable-4753ad6e-f925-4d00-8b8a-93cd9a793961"/> <cybox:Observable idref="mandiant:observable-16ff8b63-7417-4ad3-af39-f5fc3293a81a"/> <cybox:Observable idref="mandiant:observable-1e515fc4-5298-4835-ac93-ccc29f70c273"/> <cybox:Observable idref="mandiant:observable-a96fc990-5cbf-4655-8119-ae542b9eb1a6"/> <cybox:Observable idref="mandiant:observable-6ecaf030-ef79-4a73-9176-cf8add0928ae"/> <cybox:Observable idref="mandiant:observable-c89cc114-47b9-4900-bde2-eed6e36fb1b0"/> <cybox:Observable idref="mandiant:observable-4e70e655-7d8b-47e3-87b2-2b78e4d24e4c"/> <cybox:Observable idref="mandiant:observable-33b87f92-bfe4-4cbc-a278-9f23b62c7872"/> <cybox:Observable idref="mandiant:observable-d7e3e563-91f7-4e47-bffc-41ed83c6dcf5"/> <cybox:Observable idref="mandiant:observable-8711b161-c87c-49ef-95e3-6e911e29df38"/> <cybox:Observable idref="mandiant:observable-a5a39c19-de7c-4537-b28e-eecb16ad5a69"/> <cybox:Observable idref="mandiant:observable-3fb9550e-647e-4470-844d-d3e4afbdfac4"/> <cybox:Observable idref="mandiant:observable-0f962e45-4e79-453d-b246-9d88c2e3ba3a"/> <cybox:Observable idref="mandiant:observable-9be9c7e6-ef4b-4098-a644-a81f62a47a68"/> <cybox:Observable idref="mandiant:observable-449d46a7-a9bb-4732-ba06-e10eaa0bc64d"/> <cybox:Observable idref="mandiant:observable-01d37248-c597-4266-95e1-6aabc1f7c1c9"/> <cybox:Observable idref="mandiant:observable-11e35c8c-ef8c-4000-b312-040c3e20d217"/> <cybox:Observable idref="mandiant:observable-f58b9ef8-d1e4-4c30-a610-cde6f2ee64c0"/> <cybox:Observable idref="mandiant:observable-f3768548-3229-44e3-9d18-5db1c1644dc7"/> <cybox:Observable idref="mandiant:observable-8ba28033-24e9-4b18-868a-0e239729c5ed"/> <cybox:Observable idref="mandiant:observable-9fed2d7d-2f5d-491f-b5ce-0183a298a3a2"/> <cybox:Observable idref="mandiant:observable-6522aad9-947b-4f63-a2be-20d0d0f26a9d"/> <cybox:Observable idref="mandiant:observable-bfdf0133-a503-4d67-be46-2cfb4be9f305"/> <cybox:Observable idref="mandiant:observable-7927d9ba-06fd-4a77-b3a7-cb3038d6afb5"/> <cybox:Observable idref="mandiant:observable-87b67e2a-ca0d-481f-b39e-1837ed188a57"/> <cybox:Observable idref="mandiant:observable-b9322946-8901-4d77-a1be-e466fd6601a4"/> <cybox:Observable idref="mandiant:observable-cb8c47c3-6fe5-49e3-b6c6-2d51ee247717"/> <cybox:Observable idref="mandiant:observable-c348c561-9c3f-49b9-9808-a170c48e5461"/> <cybox:Observable idref="mandiant:observable-36cfc9da-bf4f-4c12-bfef-2f840b50730e"/> <cybox:Observable idref="mandiant:observable-4fdee7b7-190e-4198-a3a7-bd46c5b2dfe5"/> <cybox:Observable idref="mandiant:observable-55820c9e-d099-4e0f-abe7-79d4d5e29ea8"/> <cybox:Observable idref="mandiant:observable-c5173eec-a8ad-4064-9ebf-8d8991e2eb60"/> <cybox:Observable idref="mandiant:observable-dfb7e07f-0306-4ec0-91be-26410393f1b4"/> <cybox:Observable idref="mandiant:observable-2eedbeb8-e2cc-4cd4-9dfa-ef29128b1f76"/> <cybox:Observable idref="mandiant:observable-51c7acd6-9d75-4ed4-a439-48c08b52b930"/> <cybox:Observable idref="mandiant:observable-86ce12af-1d2c-4de8-b488-aa1dcd582817"/> <cybox:Observable idref="mandiant:observable-7805a253-7812-4d78-baee-3f397ecb4ffd"/> <cybox:Observable idref="mandiant:observable-79829e8c-e486-4988-8985-72798b068a19"/> <cybox:Observable idref="mandiant:observable-9e3edd07-bc07-4e7b-a5f2-df985855a0ca"/> <cybox:Observable idref="mandiant:observable-b5a279f6-2539-41c7-97c0-c95e4072b099"/> <cybox:Observable idref="mandiant:observable-593686f2-abdd-4550-8c5c-564b1393afaa"/> <cybox:Observable idref="mandiant:observable-8147833c-a9c1-405a-b127-02d64bd9b75b"/> <cybox:Observable idref="mandiant:observable-47c27957-4181-4db6-a75e-bfaa93aa1e32"/> <cybox:Observable idref="mandiant:observable-8efe257a-6b96-4e36-8729-1f3694c81b9c"/> <cybox:Observable idref="mandiant:observable-fea984ed-f114-4ab0-aa3f-242eedd4e9fc"/> <cybox:Observable idref="mandiant:observable-fde7acb4-88a3-46ee-a098-ead6ed6e3907"/> <cybox:Observable idref="mandiant:observable-1c56079b-e20c-4bb0-a4aa-983bad429b05"/> <cybox:Observable idref="mandiant:observable-ff1d640b-7855-4b82-8d5f-a3a40aba300d"/> <cybox:Observable idref="mandiant:observable-89d01fdf-5347-4deb-973a-6014be53b868"/> <cybox:Observable idref="mandiant:observable-10ceb470-6f01-4b8a-944c-664851ad8c59"/> <cybox:Observable idref="mandiant:observable-63e0fc42-2bd4-47ed-8ec0-1806f476a424"/> <cybox:Observable idref="mandiant:observable-783c9b4c-e04e-4ee3-a5a3-18222996ee84"/> <cybox:Observable idref="mandiant:observable-97d31203-6d5a-4568-bf5b-495775b1c5f4"/> <cybox:Observable idref="mandiant:observable-9ab5d4a3-8172-41f6-ad34-b27086d2fc68"/> <cybox:Observable idref="mandiant:observable-2e19ed14-e88a-4beb-a45f-64f590d81fa8"/> <cybox:Observable idref="mandiant:observable-07cb9185-063f-430d-b0df-029e31f502bd"/> <cybox:Observable idref="mandiant:observable-4bae2960-7c8a-4d85-91c5-328e6695b792"/> <cybox:Observable idref="mandiant:observable-8ec00ab0-0761-476c-8b7b-e44777b2739d"/> <cybox:Observable idref="mandiant:observable-9f60046a-bba4-47f4-8d4c-c2b24ad0e510"/> <cybox:Observable idref="mandiant:observable-83dd19a8-795b-4267-ad35-a4e542c1a1d2"/> <cybox:Observable idref="mandiant:observable-5c763b02-2f45-49db-ae6d-df878f9ded97"/> <cybox:Observable idref="mandiant:observable-4db95248-85fc-4ae2-b82a-02a9964f643c"/> <cybox:Observable idref="mandiant:observable-a11bf49f-f485-4245-bd66-ce583d298dd0"/> <cybox:Observable idref="mandiant:observable-68c9dc95-3c0e-4b9e-b2e4-34b39b9558e3"/> <cybox:Observable idref="mandiant:observable-8f0226db-5e50-479b-bdd2-ed876a7eb536"/> <cybox:Observable idref="mandiant:observable-4e76fc0c-f5b8-4982-b42d-2cdacc6ef105"/> <cybox:Observable idref="mandiant:observable-3916d662-12e4-4e08-9c68-e3567d2882be"/> <cybox:Observable idref="mandiant:observable-bad6d471-29bc-4b8a-aacb-7ade3253a3f6"/> <cybox:Observable idref="mandiant:observable-a31ddb74-c0f2-4aa7-8d58-ab3957f92f61"/> <cybox:Observable idref="mandiant:observable-75598d7a-afd2-4f32-9768-5cb702bf51da"/> <cybox:Observable idref="mandiant:observable-3f922f45-81f4-4444-b308-3e0d933ff987"/> <cybox:Observable idref="mandiant:observable-8e172d1f-6059-4d66-b43b-2c1098394b11"/> <cybox:Observable idref="mandiant:observable-abf69db6-2486-42b2-b4cb-7dd045066953"/> <cybox:Observable idref="mandiant:observable-47074f5c-f25c-4c94-9285-7dd8354bce19"/> <cybox:Observable idref="mandiant:observable-1c0b8e7e-6839-47ad-a247-a55dbefb0ab0"/> <cybox:Observable idref="mandiant:observable-7d032780-5f9c-4a92-958e-b1bfc6eca02d"/> <cybox:Observable idref="mandiant:observable-6655c7f5-b472-4c7d-bad2-548cf4fa9ec6"/> <cybox:Observable idref="mandiant:observable-b7db2c18-a757-4e3c-8678-e0703beaf468"/> <cybox:Observable idref="mandiant:observable-08dd7a96-cfee-4761-94df-5a8c205819de"/> <cybox:Observable idref="mandiant:observable-6f2e80e6-7915-423f-8d00-266c3d2d955c"/> <cybox:Observable idref="mandiant:observable-7ebbcc68-a66e-4aa5-b4f5-3c764964f189"/> <cybox:Observable idref="mandiant:observable-2a53eb16-147e-44d9-b05d-1639874fd1c5"/> <cybox:Observable idref="mandiant:observable-4743d2c9-bb76-4e66-89fe-ee191ba344cb"/> <cybox:Observable idref="mandiant:observable-9e5cc91d-3f93-49aa-8c5a-4f1587e44fc2"/> <cybox:Observable idref="mandiant:observable-ee4a1db8-b481-4917-a571-dd42f67ce452"/> <cybox:Observable idref="mandiant:observable-7c0bc200-db6e-4f2a-b5a5-05f8f4af74bf"/> <cybox:Observable idref="mandiant:observable-9346ec75-3e2d-46ae-8ddb-d0cc07000d62"/> <cybox:Observable idref="mandiant:observable-66e24ed6-8651-407c-9cce-84eed875b4f2"/> <cybox:Observable idref="mandiant:observable-8a3d2388-fb2a-4729-a558-887cd499d01a"/> <cybox:Observable idref="mandiant:observable-d4e37669-26a0-434c-92db-136716a6ff35"/> <cybox:Observable idref="mandiant:observable-91bab107-f338-4ddf-a27f-30a4c312a6a9"/> <cybox:Observable idref="mandiant:observable-d019f76e-8ad0-446c-b9e2-55e8009541fd"/> <cybox:Observable idref="mandiant:observable-35ee3e81-018b-4f20-b6c6-cd1d87fc2bc9"/> <cybox:Observable idref="mandiant:observable-fe35e708-0ad7-4265-9cfa-1c1a95dfff46"/> <cybox:Observable idref="mandiant:observable-6dc2762a-2537-43f6-82e0-83aa2c5d4f3b"/> <cybox:Observable idref="mandiant:observable-c54ed757-c625-4793-85f9-cd252d27766a"/> <cybox:Observable idref="mandiant:observable-64b68c63-4e0f-4554-b2dd-80c69bdadee9"/> <cybox:Observable idref="mandiant:observable-2a176b0e-a5ff-4ddb-b71d-409ae64f6421"/> <cybox:Observable idref="mandiant:observable-9af90e26-5f6d-4d28-999b-1ac2e0070daf"/> <cybox:Observable idref="mandiant:observable-9ef8f35e-126b-4a82-9363-18a6c58f7a1c"/> <cybox:Observable idref="mandiant:observable-2f405b26-4ed9-42bb-b2df-0b2f72f84e0a"/> <cybox:Observable idref="mandiant:observable-520dcdaa-d471-4e30-9357-9f2a2de998b1"/> <cybox:Observable idref="mandiant:observable-4235e966-ca89-4152-bad5-3ccda3d91b7b"/> <cybox:Observable idref="mandiant:observable-98450866-adce-4de0-a983-9da010d69773"/> <cybox:Observable idref="mandiant:observable-4fad1b1f-da0f-4fa2-862f-0914d1acda36"/> <cybox:Observable idref="mandiant:observable-9321d1b2-d7d7-4280-82cb-8f509f08061f"/> <cybox:Observable idref="mandiant:observable-3e0d5906-dc92-44ff-83c1-a3b5d36a5a23"/> <cybox:Observable idref="mandiant:observable-c88f9908-09d9-4edf-88a1-d145a58dbfce"/> <cybox:Observable idref="mandiant:observable-2086c397-aeb8-49e3-801c-c6cd8f2dffe1"/> <cybox:Observable idref="mandiant:observable-ac23a385-168a-4417-866f-6f77bcf54c17"/> <cybox:Observable idref="mandiant:observable-fffcef61-8d62-4087-9547-1646798e6795"/> <cybox:Observable idref="mandiant:observable-1da4e5e4-add0-4a14-b068-9226010ba200"/> <cybox:Observable idref="mandiant:observable-89a1de8b-8909-40cd-9550-40fede1c34d2"/> <cybox:Observable idref="mandiant:observable-b9821754-15c1-4c1f-ad2e-03b6afb37dad"/> <cybox:Observable idref="mandiant:observable-5dded4ed-ee4e-4a14-96e2-c6d88765f6c9"/> <cybox:Observable idref="mandiant:observable-6580689b-fa05-42de-b122-b2aabf301ca3"/> <cybox:Observable idref="mandiant:observable-88bdff38-0be0-409e-8587-4d96d4493e35"/> <cybox:Observable idref="mandiant:observable-a2cde4e6-e17b-487a-b6fa-d5d8884b4084"/> <cybox:Observable idref="mandiant:observable-6c4ba9bd-abc0-4fb0-b6aa-fb4fa34b8b9f"/> <cybox:Observable idref="mandiant:observable-869563a4-10ba-477e-8c13-1c27ec4968c5"/> <cybox:Observable idref="mandiant:observable-df849d44-e90e-4224-83f8-da506a119fec"/> <cybox:Observable idref="mandiant:observable-f08e1658-4af5-412e-bf4d-a85a78b00c4b"/> <cybox:Observable idref="mandiant:observable-2da915b4-8247-49d2-a55d-17c548c37675"/> <cybox:Observable idref="mandiant:observable-37f1e8c5-9356-4435-8e4e-ae84da188dfc"/> <cybox:Observable idref="mandiant:observable-d663e045-3be0-4140-9ed7-0844c2a47403"/> <cybox:Observable idref="mandiant:observable-43b83cf6-f932-4d87-81bc-bf4ec5d85887"/> <cybox:Observable idref="mandiant:observable-088f65aa-e06d-4a8d-892d-31d3db8499b1"/> <cybox:Observable idref="mandiant:observable-9055cf95-35e3-4e9c-b628-e30d72704fd2"/> <cybox:Observable idref="mandiant:observable-d5d2e783-fa76-4737-a1f3-c26a31779c18"/> <cybox:Observable idref="mandiant:observable-b9063d6c-7704-4fbc-bab6-a01b333fe300"/> <cybox:Observable idref="mandiant:observable-4476d37f-d9c6-4d6e-9f55-ff026e152fef"/> <cybox:Observable idref="mandiant:observable-bdcb3388-374c-4ac3-abaf-1d4afd7a9173"/> <cybox:Observable idref="mandiant:observable-5282e97b-24d0-4152-aabe-80070dfc1b0a"/> <cybox:Observable idref="mandiant:observable-d15737cf-e233-47ec-9819-9edd83716ed6"/> <cybox:Observable idref="mandiant:observable-9a4ca9de-bc81-446a-ae17-6869eb21c60c"/> <cybox:Observable idref="mandiant:observable-43c2ca55-e3fe-43ec-a950-d610a5b293a0"/> <cybox:Observable idref="mandiant:observable-a787a4bc-d945-459d-8ab3-efea1265359b"/> <cybox:Observable idref="mandiant:observable-53751ff0-4533-4698-a1e3-5770b4974adb"/> <cybox:Observable idref="mandiant:observable-d92978d0-d5b5-4e87-a1c9-19ab6efca287"/> <cybox:Observable idref="mandiant:observable-f3911ad0-8cb2-4edf-beab-95be9455af49"/> <cybox:Observable idref="mandiant:observable-4a41070b-8762-4792-82b1-9b4f8db0f06a"/> <cybox:Observable idref="mandiant:observable-2ea1ff18-ac07-4243-87b2-7c82ef783c8d"/> <cybox:Observable idref="mandiant:observable-93d11fa9-9587-4590-b1e8-aebfb5070176"/> <cybox:Observable idref="mandiant:observable-f968c97e-7999-458d-afc2-4e928e39984d"/> <cybox:Observable idref="mandiant:observable-185da798-290c-435c-8994-43a7645a575b"/> <cybox:Observable idref="mandiant:observable-5fe0deb5-bbab-4b83-80da-7a63d92a2e25"/> <cybox:Observable idref="mandiant:observable-51655287-cc79-4448-b203-6b61fcaefa13"/> <cybox:Observable idref="mandiant:observable-1f71c3a6-dde2-439d-932a-855e91b438a0"/> <cybox:Observable idref="mandiant:observable-70ddfe18-a63c-4235-83e1-6b7c9a5d3e38"/> <cybox:Observable idref="mandiant:observable-d26c88a1-3b1e-4f19-a9f4-ad16b50dca0e"/> <cybox:Observable idref="mandiant:observable-d9fef6a6-d8ad-4bad-acfa-7bc1f49c5d73"/> <cybox:Observable idref="mandiant:observable-012ba2a6-2b89-4de3-bcb6-7b7c34e7bbee"/> <cybox:Observable idref="mandiant:observable-73eb05bb-beb0-4586-af65-56e3e3e41581"/> <cybox:Observable idref="mandiant:observable-bdf5bfa6-bd90-4bbb-876e-4a48308c5ca5"/> <cybox:Observable idref="mandiant:observable-c59164e3-4b60-45bc-bf6f-7f80313389ab"/> <cybox:Observable idref="mandiant:observable-62fc2294-a87f-41d3-94d6-bebc5a2e8c40"/> <cybox:Observable idref="mandiant:observable-3e02f3e0-d53f-4317-b860-a81caf177ffa"/> <cybox:Observable idref="mandiant:observable-0fb0253e-2883-4895-b750-25fbbedcf275"/> <cybox:Observable idref="mandiant:observable-1dfcc05d-4ced-4f92-b7ee-9c61c247d73c"/> <cybox:Observable idref="mandiant:observable-35bdb3f9-ff19-4ac6-b4c1-b7d814c865ec"/> <cybox:Observable idref="mandiant:observable-4f8cfd20-98c9-4ee7-a5d5-02e401584dc7"/> <cybox:Observable idref="mandiant:observable-5afa6c58-2164-42d0-9f1a-261d94f5fadd"/> <cybox:Observable idref="mandiant:observable-3e0db3ce-eb78-4bb8-90df-10a9951bba96"/> <cybox:Observable idref="mandiant:observable-eed26f95-dfad-49ed-95a8-8946da5e956b"/> <cybox:Observable idref="mandiant:observable-f93bd770-64d5-4d98-8c5e-51ceba961fe5"/> <cybox:Observable idref="mandiant:observable-df0abe73-e39c-4729-b6de-07eaf809a06e"/> <cybox:Observable idref="mandiant:observable-7917cbeb-d4e2-4400-aa6f-97354ce65c12"/> <cybox:Observable idref="mandiant:observable-a033aebf-5941-48c3-8246-aae43646a24b"/> <cybox:Observable idref="mandiant:observable-0cbbad3d-7e46-4131-a7cb-0015403d8ec8"/> <cybox:Observable idref="mandiant:observable-71f7afbc-5d7a-40fd-8814-5afb5ebe1fb9"/> <cybox:Observable idref="mandiant:observable-b76f0180-171b-4289-975d-0b297c611b01"/> <cybox:Observable idref="mandiant:observable-8b65e6cf-c8f9-41cd-86ff-63486bdd2fff"/> <cybox:Observable idref="mandiant:observable-77ee611b-ab46-4f0e-92cf-264f18642f06"/> <cybox:Observable idref="mandiant:observable-e3de49af-00d9-4b94-ac5f-98f75ab97e78"/> <cybox:Observable idref="mandiant:observable-fbec69a0-1f16-43f2-979f-0c1d8b0d4754"/> <cybox:Observable idref="mandiant:observable-f8a291a0-e468-4f0a-91c1-ec6ad5f09ae3"/> <cybox:Observable idref="mandiant:observable-dc175233-c223-4aa9-bb4a-894b3446ca06"/> <cybox:Observable idref="mandiant:observable-fad82e90-a9d0-4fcb-b01e-a5dddae5b4c2"/> <cybox:Observable idref="mandiant:observable-664459b1-7ccc-49a6-92a2-b092bdb9405c"/> <cybox:Observable idref="mandiant:observable-64667921-3dda-4be3-99ca-6aba304f39af"/> <cybox:Observable idref="mandiant:observable-15bb1783-edfb-430f-b63b-b8665a6f258d"/> <cybox:Observable idref="mandiant:observable-d90d60e4-87cf-48c7-bdfd-b77bba56c16c"/> <cybox:Observable idref="mandiant:observable-1f119b4a-52d3-4f96-8887-26f21242494f"/> <cybox:Observable idref="mandiant:observable-4134706e-76f2-4c67-b48a-af500ad938ad"/> <cybox:Observable idref="mandiant:observable-1a88042e-a9a4-4583-9232-d4b95e5c2b3d"/> <cybox:Observable idref="mandiant:observable-3b01a8db-9f22-41e7-ae85-52d54e798df8"/> <cybox:Observable idref="mandiant:observable-368d660c-f57d-424c-bf05-ef09ece30753"/> <cybox:Observable idref="mandiant:observable-ed5b1f55-5489-4287-adc0-f9b46eda97a6"/> <cybox:Observable idref="mandiant:observable-6945b6e7-0eef-4309-a0cf-4a92d542dffe"/> <cybox:Observable idref="mandiant:observable-d9ccf118-d55f-4783-9103-f76b6e4fcec4"/> <cybox:Observable idref="mandiant:observable-354ea984-7522-4960-a761-b309d326b200"/> <cybox:Observable idref="mandiant:observable-0eaf9915-dad4-4b8f-bf86-dc0bcec7a33a"/> <cybox:Observable idref="mandiant:observable-7c72475f-d056-4fe3-ab73-101611d9e050"/> <cybox:Observable idref="mandiant:observable-f753149f-e72e-4051-8be1-1d48ff7b0985"/> <cybox:Observable idref="mandiant:observable-2814c58c-f469-42d4-ab8f-5782b6e843ee"/> <cybox:Observable idref="mandiant:observable-4b2bbb39-4382-49f4-9fcb-40ad17fcd3d2"/> <cybox:Observable idref="mandiant:observable-317492f7-6198-4017-a686-f536529c7da2"/> <cybox:Observable idref="mandiant:observable-74afe37d-2e69-4269-a1a9-3cdb502e3a4e"/> <cybox:Observable idref="mandiant:observable-7c02e0a1-28db-4aba-8d8f-2a9d8fe1db0c"/> <cybox:Observable idref="mandiant:observable-83603ffd-0fe3-442f-80a9-189d05cc883f"/> <cybox:Observable idref="mandiant:observable-d268af83-9f7c-43a2-b67e-031bfc677e06"/> <cybox:Observable idref="mandiant:observable-990f92be-e5e8-4228-9f30-f008d16bf0f0"/> <cybox:Observable idref="mandiant:observable-80a87446-3744-4fc9-94c2-c0ff8927a146"/> <cybox:Observable idref="mandiant:observable-b1e96379-f0ad-4eed-bbf0-4e411ea27185"/> <cybox:Observable idref="mandiant:observable-af0d3664-4b72-4db6-91e9-ceccb5fe5f76"/> <cybox:Observable idref="mandiant:observable-ad4a59b2-f8b5-459c-85aa-71f4367fc442"/> <cybox:Observable idref="mandiant:observable-c618866f-3719-4d77-9b7e-eee12e3caa8e"/> <cybox:Observable idref="mandiant:observable-5d0aebb9-3281-4b02-a25d-d997c3bb3aae"/> <cybox:Observable idref="mandiant:observable-a018b42e-25cc-4604-bb73-b2e9419ecf8c"/> <cybox:Observable idref="mandiant:observable-32d2da10-ca33-4a29-9a24-6c4158d94605"/> <cybox:Observable idref="mandiant:observable-71d80966-1323-4030-b34b-13d82973bb0f"/> <cybox:Observable idref="mandiant:observable-428c2847-6378-45db-88bc-005927e9ab57"/> <cybox:Observable idref="mandiant:observable-07144b84-b05c-4608-a484-cf2886e88181"/> <cybox:Observable idref="mandiant:observable-58e4af5c-9583-4fee-994a-5dc18cb1aec5"/> <cybox:Observable idref="mandiant:observable-839b8651-a985-4816-b8bb-ad30d57400af"/> <cybox:Observable idref="mandiant:observable-34015cfb-ae38-4697-be62-bc016557ee06"/> <cybox:Observable idref="mandiant:observable-b4555884-e09f-49d0-b6fc-f63c16711a03"/> <cybox:Observable idref="mandiant:observable-76ad1132-f79d-408f-8390-939ed7982c66"/> <cybox:Observable idref="mandiant:observable-d02a4d17-ec99-4300-9d2d-c9aa333b1d3b"/> <cybox:Observable idref="mandiant:observable-098ede67-d96a-406f-923f-c6977813832c"/> <cybox:Observable idref="mandiant:observable-37d0769a-5dcf-4609-8afb-90595f39d77b"/> <cybox:Observable idref="mandiant:observable-c5f80571-4e93-4053-9ac8-a25776622693"/> <cybox:Observable idref="mandiant:observable-df4d6419-524c-4b89-8218-0b7c495b4305"/> <cybox:Observable idref="mandiant:observable-73837ae9-5393-437d-947a-a4d4a17bf964"/> <cybox:Observable idref="mandiant:observable-151873b9-8598-442d-b96c-799dfb497cad"/> <cybox:Observable idref="mandiant:observable-f85062a7-3934-4d0c-86b6-bd5032fc11dc"/> <cybox:Observable idref="mandiant:observable-1868f15b-146f-4c7f-858a-53dbcc900133"/> <cybox:Observable idref="mandiant:observable-d1b9483a-c326-4949-8044-c7c39c4b6cfe"/> <cybox:Observable idref="mandiant:observable-857dc5fe-24f5-4b0d-9c38-69e28ea5fef9"/> <cybox:Observable idref="mandiant:observable-b41f646e-1781-43ed-9ff6-54e72acf50d5"/> <cybox:Observable idref="mandiant:observable-88e7ee9c-16ab-4fbe-ae99-357017dae33a"/> <cybox:Observable idref="mandiant:observable-d5920dff-f203-4c72-9031-748b433e909a"/> <cybox:Observable idref="mandiant:observable-b2aa045b-1b4e-4d8f-9d85-6b79e37fdd92"/> <cybox:Observable idref="mandiant:observable-2240b2b1-60d1-433c-8553-2ba4fbd5234a"/> <cybox:Observable idref="mandiant:observable-328f45ed-58bd-4475-872f-59223c705fe9"/> <cybox:Observable idref="mandiant:observable-56ba3bad-7aa7-4f3b-96c9-c4e59a64d1d2"/> <cybox:Observable idref="mandiant:observable-67ca1d0e-4554-4b30-938d-01bde2e478a0"/> <cybox:Observable idref="mandiant:observable-903f9f1b-4f53-4677-a457-0fa90cde0cfa"/> <cybox:Observable idref="mandiant:observable-ff68ae15-306d-4e5d-a7fc-880f42b2382f"/> <cybox:Observable idref="mandiant:observable-977f8b7c-7770-4e13-94b4-34b1e5543989"/> <cybox:Observable idref="mandiant:observable-dab1b4a0-46f5-4170-9d03-202dc2f4d5ad"/> <cybox:Observable idref="mandiant:observable-fa65191b-3f33-4f9d-b338-abeec6467f30"/> <cybox:Observable idref="mandiant:observable-50d28e11-daca-401f-b06c-cf97e79ac644"/> <cybox:Observable idref="mandiant:observable-c67ffe5f-bb76-4e0e-b597-a6f135c62e44"/> <cybox:Observable idref="mandiant:observable-99590a09-5285-46fd-834c-f7849726fe7e"/> <cybox:Observable idref="mandiant:observable-da1079ca-df4a-441b-948e-1a573f676689"/> <cybox:Observable idref="mandiant:observable-087e6bd3-a429-4779-b688-4e32e6d74a48"/> <cybox:Observable idref="mandiant:observable-0bd6f414-d5af-4a85-bf84-377abb903c21"/> <cybox:Observable idref="mandiant:observable-e7257d4c-a18c-4e83-be75-b40a7b739d19"/> <cybox:Observable idref="mandiant:observable-5e7f8377-891e-4d53-aa40-9d662477d567"/> <cybox:Observable idref="mandiant:observable-df2cea97-90d2-426f-930b-b783f49ee095"/> <cybox:Observable idref="mandiant:observable-b73ed629-7f0a-4ed2-8ade-38f2c4061dd4"/> <cybox:Observable idref="mandiant:observable-6de65dff-bc02-406e-8776-e70e287dd597"/> <cybox:Observable idref="mandiant:observable-7a2f2582-73a8-4a06-b52b-c589bedda1ad"/> <cybox:Observable idref="mandiant:observable-f384c66b-37ac-4acf-8d72-55b04dd6a9c0"/> <cybox:Observable idref="mandiant:observable-7fd10ee3-26ec-414e-b4b4-878f91436912"/> <cybox:Observable idref="mandiant:observable-b2e13e8b-952f-4a59-be04-dfdf5eca3f8c"/> <cybox:Observable idref="mandiant:observable-b9f05433-78c0-4082-ab10-3a78b7ab2a5d"/> <cybox:Observable idref="mandiant:observable-976eb5ba-0810-4afd-a3c1-2a04d8e9c2c4"/> <cybox:Observable idref="mandiant:observable-ca570199-0523-4f49-bfb4-a7be03752326"/> <cybox:Observable idref="mandiant:observable-6a9a8058-7045-4722-9d07-c778f29691c2"/> <cybox:Observable idref="mandiant:observable-82c4f0c2-0ab2-456a-852b-48a768aa9dee"/> <cybox:Observable idref="mandiant:observable-d108d2a2-e41f-42ac-aa6e-42b23cc74e93"/> <cybox:Observable idref="mandiant:observable-22b11880-c237-480f-ae52-917a7ed55566"/> <cybox:Observable idref="mandiant:observable-d171f8b5-21c0-4c5c-a3bc-cbe127692c0d"/> <cybox:Observable idref="mandiant:observable-9ab45d6b-565e-4b64-b93f-b23e687937ae"/> <cybox:Observable idref="mandiant:observable-ea867aab-ee81-42aa-a6f2-2b7515972a4b"/> <cybox:Observable idref="mandiant:observable-4e840329-9123-4119-9ce0-1fca6fa7c3c4"/> <cybox:Observable idref="mandiant:observable-5dbc4c91-60d8-42d8-b1e7-b107c6fd80a4"/> <cybox:Observable idref="mandiant:observable-66cd7040-0c0d-4d63-8b74-b6f9b948e1ee"/> <cybox:Observable idref="mandiant:observable-17bae05f-e5e9-47f2-b1f9-9d6cce455b19"/> <cybox:Observable idref="mandiant:observable-6fc8e033-46f5-4457-b09c-72ef013d8d01"/> <cybox:Observable idref="mandiant:observable-330d109e-d67d-400c-8782-d419d8c8fdea"/> <cybox:Observable idref="mandiant:observable-cdc14485-a104-416a-a6e9-b5a0053b4e14"/> <cybox:Observable idref="mandiant:observable-432017a3-cf8e-46c7-9c2b-9abd9347aaa4"/> <cybox:Observable idref="mandiant:observable-5c4f91ef-b91f-4214-b8e3-d0093dc1d713"/> <cybox:Observable idref="mandiant:observable-47462879-ba51-4c06-b184-ac6f24fde5a7"/> <cybox:Observable idref="mandiant:observable-f780ed3e-99a5-42a6-b87e-34239a9e9f98"/> <cybox:Observable idref="mandiant:observable-085bdd85-79a6-442b-982e-728cec1f0edb"/> <cybox:Observable idref="mandiant:observable-9788ddbd-d0f6-4775-b4dd-2b0824f23aef"/> <cybox:Observable idref="mandiant:observable-d6d47b03-1b98-4da1-8947-ec1b39571d67"/> <cybox:Observable idref="mandiant:observable-cad6845d-48ab-4dba-80c1-11a4d24287fc"/> <cybox:Observable idref="mandiant:observable-9cf44dd1-bc08-4ce1-9c3f-5cf36d2e9554"/> <cybox:Observable idref="mandiant:observable-ee53f8a8-b073-4a23-ac53-5a2bcc248c2b"/> <cybox:Observable idref="mandiant:observable-13944004-8d57-46a8-9095-7f3627028bb2"/> <cybox:Observable idref="mandiant:observable-b79b4e26-9906-47b1-97e8-7851dd4ca153"/> <cybox:Observable idref="mandiant:observable-04f95431-b14d-43c2-a469-76ec2dfca5d2"/> <cybox:Observable idref="mandiant:observable-5ce072f5-455d-4457-9a55-e43f796b05c8"/> <cybox:Observable idref="mandiant:observable-4c60995e-0101-422c-aa6a-442bd4c72274"/> <cybox:Observable idref="mandiant:observable-f23cad9e-d703-48cd-bdf4-6c4c51587d1b"/> <cybox:Observable idref="mandiant:observable-efd2b400-30a3-44e4-b9c6-e998bf1bd7d1"/> <cybox:Observable idref="mandiant:observable-8791f0d6-eb97-4dbc-bd90-bacff1692af4"/> <cybox:Observable idref="mandiant:observable-58428dae-3ddf-45b1-b9d6-191fbf15386e"/> <cybox:Observable idref="mandiant:observable-77056ecd-8481-41ba-8a52-f6ebbb2f4672"/> <cybox:Observable idref="mandiant:observable-18fa2007-837a-4d7f-a497-4726d84e5e63"/> <cybox:Observable idref="mandiant:observable-e95325be-a318-46f2-a3f3-3666164bd40d"/> <cybox:Observable idref="mandiant:observable-d3ae8857-2edd-4c7b-b030-97e02aff3d93"/> <cybox:Observable idref="mandiant:observable-fc57d943-b0a7-414e-aff4-06c3dc1dca8a"/> <cybox:Observable idref="mandiant:observable-9a29dd0d-ad67-42eb-9e3f-d2e7e485099f"/> <cybox:Observable idref="mandiant:observable-a91296f4-e0e0-454d-8fae-a8a55a77e457"/> <cybox:Observable idref="mandiant:observable-79abb1a5-bbf6-43af-8467-532f71c6dd87"/> <cybox:Observable idref="mandiant:observable-04e77da2-5b8a-412b-a399-f469ec0e04b6"/> <cybox:Observable idref="mandiant:observable-00351da5-c885-484e-bc72-aad44ed08e51"/> <cybox:Observable idref="mandiant:observable-7bd94800-81f8-4dfa-b249-03d98b0b9606"/> <cybox:Observable idref="mandiant:observable-33c801e0-2c42-4dd8-b596-2db00964a928"/> <cybox:Observable idref="mandiant:observable-59522153-7522-482b-8bb6-010211a6737a"/> <cybox:Observable idref="mandiant:observable-0b06b091-69d3-4914-a234-bdf613539c68"/> <cybox:Observable idref="mandiant:observable-db9d2702-a55a-406e-9d02-46afead92b6e"/> <cybox:Observable idref="mandiant:observable-f17fffc0-839f-4ad1-8d74-0db32124b8e6"/> <cybox:Observable idref="mandiant:observable-81a255ee-0927-4ad9-9fba-9aab5e6cd76f"/> <cybox:Observable idref="mandiant:observable-5849c3c1-d099-4733-b03e-8c56711194d0"/> <cybox:Observable idref="mandiant:observable-f08759f3-d4cc-4309-a7e2-8c6fdbbce80b"/> <cybox:Observable idref="mandiant:observable-2ccebfa9-1eaa-460e-9341-8a96a2ff7a2b"/> <cybox:Observable idref="mandiant:observable-f547229b-7a04-431e-b56b-09ac98678697"/> <cybox:Observable idref="mandiant:observable-7215d193-972f-444c-aa18-a61daabc04a6"/> <cybox:Observable idref="mandiant:observable-c1343674-dd87-49a0-a4a3-a27d0818dc18"/> <cybox:Observable idref="mandiant:observable-b7c91545-2a05-4b62-b1dd-1fb71e82ab89"/> <cybox:Observable idref="mandiant:observable-e3b2626b-c7d3-4a44-a824-6bf850243237"/> <cybox:Observable idref="mandiant:observable-ff943c0a-9e58-4386-ad14-34015d84e415"/> <cybox:Observable idref="mandiant:observable-1440d9e1-ac2b-4070-9c52-18c09764e9e5"/> <cybox:Observable idref="mandiant:observable-3439977d-e115-4d8f-b132-0ad1d43a03f9"/> <cybox:Observable idref="mandiant:observable-710c48a6-5469-4bd4-92eb-e42e88513684"/> <cybox:Observable idref="mandiant:observable-7141fe94-297a-4e1b-84ae-27750d6ca75f"/> <cybox:Observable idref="mandiant:observable-084208aa-67d9-4c4f-94b6-f6473e2d2145"/> <cybox:Observable idref="mandiant:observable-c0e76f51-65b3-4674-8f40-0e9f3c0aad5e"/> <cybox:Observable idref="mandiant:observable-8e459a03-786e-43e3-855b-e20e6335e26b"/> <cybox:Observable idref="mandiant:observable-925a2eca-69c1-4ffb-b40f-2cacb6b7a5cb"/> <cybox:Observable idref="mandiant:observable-82dd6cbd-30f3-4cea-a8c9-740a546241d4"/> <cybox:Observable idref="mandiant:observable-b3633486-591f-4efb-b237-0e4fb02ad91c"/> <cybox:Observable idref="mandiant:observable-e63613fd-a9a1-4a98-ad5a-fdc220e0441f"/> <cybox:Observable idref="mandiant:observable-fabb74b2-60b0-41d4-a5c0-36352424c0e5"/> <cybox:Observable idref="mandiant:observable-a6b24c9d-1a03-45af-914b-6acf27687c54"/> <cybox:Observable idref="mandiant:observable-01537a75-9e1b-40ca-8f89-9c86be215732"/> <cybox:Observable idref="mandiant:observable-351316b2-0c9e-4f14-8378-2c501708d770"/> <cybox:Observable idref="mandiant:observable-0c587488-54ba-4632-842b-61bf5f1312af"/> <cybox:Observable idref="mandiant:observable-afa38bcf-b80a-47ee-9c0a-2fdf6dba7f9e"/> <cybox:Observable idref="mandiant:observable-1a17e869-fc4d-41da-b236-9dbcb88d6ff2"/> <cybox:Observable idref="mandiant:observable-7e48992d-2ff8-4f80-9889-8f35073af141"/> <cybox:Observable idref="mandiant:observable-5a7e8dc6-f0af-4758-850b-0df033d97e1a"/> <cybox:Observable idref="mandiant:observable-0c04da43-6de5-4333-a254-8242134172c5"/> <cybox:Observable idref="mandiant:observable-6023b32f-45a6-47ea-ac7c-fbffd35f6e80"/> <cybox:Observable idref="mandiant:observable-2935559c-5d93-4b38-9e37-4e5f2b6286f9"/> <cybox:Observable idref="mandiant:observable-dfcc4c5d-2f42-41c4-9f23-47761e3b131b"/> <cybox:Observable idref="mandiant:observable-0d4c14c4-1429-4ccd-a920-2b2a0d1e41f2"/> <cybox:Observable idref="mandiant:observable-3eb5f738-d087-4dc5-8163-8223166aa1ca"/> <cybox:Observable idref="mandiant:observable-7eb89e1e-6d8b-44e7-97ac-5506f6011ac9"/> <cybox:Observable idref="mandiant:observable-f3ad0de3-9089-49e6-8089-e5833e066c20"/> <cybox:Observable idref="mandiant:observable-4ffae2b5-e390-4300-93f7-34c5fcc55faf"/> <cybox:Observable idref="mandiant:observable-f080431e-deb2-48f1-8daf-cc3fb38f2808"/> <cybox:Observable idref="mandiant:observable-59a60655-c1e2-449d-b3bd-42a445a7e6bd"/> <cybox:Observable idref="mandiant:observable-3a115c77-5a93-4252-bdd7-5c6d15a72786"/> <cybox:Observable idref="mandiant:observable-245a22dc-f856-4b97-85a0-7429e8b5fd48"/> <cybox:Observable idref="mandiant:observable-abb701e7-f05a-40b0-8fdd-4b5ffa109252"/> <cybox:Observable idref="mandiant:observable-66bf87e0-dc35-49ae-9dad-4a9eab4d8e7c"/> <cybox:Observable idref="mandiant:observable-8aa681bc-f5be-489b-b449-203212e81e58"/> <cybox:Observable idref="mandiant:observable-07122710-2023-41d4-8dff-a5948c54bb07"/> <cybox:Observable idref="mandiant:observable-267cf04a-b1ea-4756-90ca-442de0f74be9"/> <cybox:Observable idref="mandiant:observable-dfe18b38-c8d3-45d6-8542-28d37227eb3d"/> <cybox:Observable idref="mandiant:observable-edadff3c-51cd-447f-8ca0-24abec5e8d88"/> <cybox:Observable idref="mandiant:observable-dfc0f5ed-e8f0-469a-81c1-86514e485600"/> <cybox:Observable idref="mandiant:observable-0f8190de-760a-430e-b46e-10ac3f60e2c9"/> <cybox:Observable idref="mandiant:observable-3af82cfc-5792-4879-bc4b-69cac7e8a0fa"/> <cybox:Observable idref="mandiant:observable-6aec48e0-76df-497c-ace5-477f7db586c9"/> <cybox:Observable idref="mandiant:observable-a937d71f-de57-406b-a918-7a2d732bb11b"/> <cybox:Observable idref="mandiant:observable-45c9f5f6-edfa-4800-adf7-c05a70430c2f"/> <cybox:Observable idref="mandiant:observable-168d2376-1ff6-42b9-9718-08aa6bce57c8"/> <cybox:Observable idref="mandiant:observable-28e9d169-d549-4d1f-b23d-7ca36febe76b"/> <cybox:Observable idref="mandiant:observable-05651fe8-64d2-47b5-a874-3e78e7918917"/> <cybox:Observable idref="mandiant:observable-103cfa65-fa42-41f0-96c8-0ddc0cbdafa7"/> <cybox:Observable idref="mandiant:observable-2277e6c7-48dd-49b0-a53b-53951f85421d"/> <cybox:Observable idref="mandiant:observable-6896db08-5da6-40ba-9245-2a2a61354db8"/> <cybox:Observable idref="mandiant:observable-6093b5cd-f834-4716-946a-747ebcdbe33a"/> <cybox:Observable idref="mandiant:observable-3b8f989c-920f-47a6-984e-93806bba70cc"/> <cybox:Observable idref="mandiant:observable-18ed243e-cac8-4a2d-b507-b5363a2ecc24"/> <cybox:Observable idref="mandiant:observable-7fc17be6-604f-4b4f-afb6-f4c6880377cd"/> <cybox:Observable idref="mandiant:observable-0397d8b8-47de-4cb2-864a-599325b84582"/> <cybox:Observable idref="mandiant:observable-e5d8c061-332a-4269-b47a-e0115b71bca8"/> <cybox:Observable idref="mandiant:observable-81db5dfe-ca08-4323-ba33-29d97a4219ce"/> <cybox:Observable idref="mandiant:observable-116c0cc0-aaac-46be-927b-5d19de4b3b98"/> <cybox:Observable idref="mandiant:observable-b99065f7-605d-427f-85b0-3b448510d7e3"/> <cybox:Observable idref="mandiant:observable-5c27487c-532e-45ec-bd2e-e535ae07ed67"/> <cybox:Observable idref="mandiant:observable-a33e7133-7c6c-437a-9583-8ee69782fded"/> <cybox:Observable idref="mandiant:observable-370861b5-15a4-4a19-bf7a-bb9616af3a77"/> <cybox:Observable idref="mandiant:observable-f46f394f-9ccd-4edf-b5a2-c8d4a95b2688"/> <cybox:Observable idref="mandiant:observable-9f53293c-3309-4f71-948c-e3cc1c143548"/> <cybox:Observable idref="mandiant:observable-97dec2ec-a86e-4f4d-8255-e9bdb1a1db29"/> <cybox:Observable idref="mandiant:observable-bede4de9-36e7-4c4e-99a2-3b1a7a07e19c"/> <cybox:Observable idref="mandiant:observable-525c226b-b43f-4441-881a-87389b32bde2"/> <cybox:Observable idref="mandiant:observable-bce5d153-cfdc-418d-9fe8-df23e0c3e9b5"/> <cybox:Observable idref="mandiant:observable-98cdc7cb-1025-4ccc-8e08-cd0527be057d"/> <cybox:Observable idref="mandiant:observable-4b05928f-343e-4617-9b25-706e1cfc09e3"/> <cybox:Observable idref="mandiant:observable-f02a9717-96f7-4748-a287-ad56d96c9617"/> <cybox:Observable idref="mandiant:observable-26006d09-1a1f-4d35-9a18-21785ad5c5dc"/> <cybox:Observable idref="mandiant:observable-bf5f8836-b3b8-4775-8de1-23b62b36c079"/> <cybox:Observable idref="mandiant:observable-e345f9da-ffd5-46ea-82bd-0682a69c8b99"/> <cybox:Observable idref="mandiant:observable-ccb64070-590a-4b86-967d-87379102b7a5"/> <cybox:Observable idref="mandiant:observable-49c429e4-c709-4830-b312-5d0bb0c8ad97"/> <cybox:Observable idref="mandiant:observable-3bc28d73-633a-43c4-875c-c2cb7551ba44"/> <cybox:Observable idref="mandiant:observable-e8649b93-b7d3-4602-ab29-22443412e013"/> <cybox:Observable idref="mandiant:observable-dad60ab8-b908-4f3c-b4b6-e748eb0af215"/> <cybox:Observable idref="mandiant:observable-440f5cbd-e265-4729-8a03-d31f4949bbee"/> <cybox:Observable idref="mandiant:observable-f5cec6df-5f6d-42a3-aa32-1b3cf57a2f4d"/> <cybox:Observable idref="mandiant:observable-69442a84-08eb-472d-84cb-d78aa05511d2"/> <cybox:Observable idref="mandiant:observable-d7441823-0ef0-44c2-8350-d1456c41847f"/> <cybox:Observable idref="mandiant:observable-e6b7c876-636c-490c-b507-72fa142405c8"/> <cybox:Observable idref="mandiant:observable-c39e7b9f-08bc-4a3a-adec-7c8704385d01"/> <cybox:Observable idref="mandiant:observable-f79746e0-651d-4559-90f1-cbc0120a32ff"/> <cybox:Observable idref="mandiant:observable-275ec552-99da-4afd-9bbe-dbd8dd279990"/> <cybox:Observable idref="mandiant:observable-9bf46e24-9fe4-4efc-9fa5-72ea44503571"/> <cybox:Observable idref="mandiant:observable-3056cb61-e438-4cbf-ba68-bff7077a5652"/> <cybox:Observable idref="mandiant:observable-63a99629-9927-429a-84ef-0f4e2a3b1367"/> <cybox:Observable idref="mandiant:observable-ba0d89bb-cef0-4bd7-a4ec-8d28e683e220"/> <cybox:Observable idref="mandiant:observable-3ca10b1b-5286-42d3-8d5a-74e658bdfb9b"/> <cybox:Observable idref="mandiant:observable-545f8c89-f07a-4273-afe0-ae939c34801e"/> <cybox:Observable idref="mandiant:observable-5ba1ef54-b240-4048-81e5-3bf13c725f69"/> <cybox:Observable idref="mandiant:observable-3a423788-f71e-484c-abed-7c00670bfdba"/> <cybox:Observable idref="mandiant:observable-881822be-3dc1-403a-af0e-07376032fa5f"/> <cybox:Observable idref="mandiant:observable-404e40f9-107a-4dad-8dc2-0dc64f141b24"/> <cybox:Observable idref="mandiant:observable-5819d156-9b7a-4d9c-a67c-d6290182d27c"/> <cybox:Observable idref="mandiant:observable-6def3e89-8836-4a8c-ba46-2285da79863f"/> <cybox:Observable idref="mandiant:observable-5261246b-3eb6-4516-9681-7d5b0c1ce8f9"/> <cybox:Observable idref="mandiant:observable-38c036dd-c7e8-4035-b29e-00af763e2ae6"/> <cybox:Observable idref="mandiant:observable-b52a9718-e8e5-4cb0-a837-a37289ea5d9f"/> <cybox:Observable idref="mandiant:observable-cef3482b-70b5-4d5b-a9f2-6a42fc5b975f"/> <cybox:Observable idref="mandiant:observable-bb22d9c5-efa2-452a-baee-0cf6faf0dcce"/> <cybox:Observable idref="mandiant:observable-8ca56c7a-0b17-4be8-8848-8eba311bc883"/> <cybox:Observable idref="mandiant:observable-c3852e5f-f117-4b98-b404-f3df59bf70eb"/> <cybox:Observable idref="mandiant:observable-e24a0c6b-e6bd-4d4a-807e-ed444756f35e"/> <cybox:Observable idref="mandiant:observable-d93d3e6b-8e75-4066-ad27-4ab3c8ddc366"/> <cybox:Observable idref="mandiant:observable-04d2b17b-0de9-4e52-be72-0370587a1e10"/> <cybox:Observable idref="mandiant:observable-b316fe53-7c0d-4ce4-b425-6595d5ab17c7"/> <cybox:Observable idref="mandiant:observable-1ad0f0bd-5b9c-483a-ae66-08106e1403af"/> <cybox:Observable idref="mandiant:observable-326ffec2-dc36-4878-b9e2-5e9e84386b57"/> <cybox:Observable idref="mandiant:observable-96e47165-509c-49a0-ae31-14a52698d1d9"/> <cybox:Observable idref="mandiant:observable-5a178b25-59fd-4177-8f57-48f7d497d24a"/> <cybox:Observable idref="mandiant:observable-23042542-a9a7-4aeb-b961-fd30b9f087da"/> <cybox:Observable idref="mandiant:observable-0f2cf480-7862-4df6-a1b8-a7dfb8e52da5"/> <cybox:Observable idref="mandiant:observable-359593a1-2f92-4e19-9ae6-baa0029e6398"/> <cybox:Observable idref="mandiant:observable-add1cad1-09f7-4557-bd37-30fc1b8c7d8a"/> <cybox:Observable idref="mandiant:observable-e91938e3-5fd9-4db3-8168-799fa6f2d1ba"/> <cybox:Observable idref="mandiant:observable-2bb6ca2f-11a8-43c8-81a6-76b822424088"/> <cybox:Observable idref="mandiant:observable-e01a57c5-4648-42a0-a93d-c9371a880da2"/> <cybox:Observable idref="mandiant:observable-85d70fe6-c617-4e6b-a322-52c61fdb9fe5"/> <cybox:Observable idref="mandiant:observable-e86f7f6d-382c-413c-ad3c-d788d6c3def4"/> <cybox:Observable idref="mandiant:observable-c671e8b1-5cb9-47dc-b5b4-70605a357be5"/> <cybox:Observable idref="mandiant:observable-4cb4ee77-cc29-4f5c-bcb1-ea831ba89413"/> <cybox:Observable idref="mandiant:observable-359b1769-35f5-44fe-93fb-88cb8524a50e"/> <cybox:Observable idref="mandiant:observable-0026de5f-5b36-4f6e-9930-1ec7ebede534"/> <cybox:Observable idref="mandiant:observable-398ba8ea-cf1c-4598-a1f6-6780370d5ceb"/> <cybox:Observable idref="mandiant:observable-e60f9259-80ef-4ec7-bcff-f9c34a78bdc2"/> <cybox:Observable idref="mandiant:observable-9132c73d-3ea0-468e-9f23-3cfc63d34e4b"/> <cybox:Observable idref="mandiant:observable-19a43f99-f9e5-4186-913b-3250064505c0"/> <cybox:Observable idref="mandiant:observable-d0e4c8ff-6425-4f6d-8d89-40fe33d249dd"/> <cybox:Observable idref="mandiant:observable-31c11f44-44bf-47d9-8257-71a9e103c43d"/> <cybox:Observable idref="mandiant:observable-bc07cc72-4752-43b3-8541-24eb6f9f7653"/> <cybox:Observable idref="mandiant:observable-9eb5e05e-70b8-473c-8f59-b52a58b0dda9"/> <cybox:Observable idref="mandiant:observable-6d0d4fc3-a1aa-40b6-bb1a-1815879bc7ea"/> <cybox:Observable idref="mandiant:observable-794fa688-9801-4524-bb96-e702aa916617"/> <cybox:Observable idref="mandiant:observable-797c48e1-5c0b-425a-afc2-7f1830c06e1b"/> <cybox:Observable idref="mandiant:observable-86e1d024-8f84-4e9f-9c1c-5e7decddfaaf"/> <cybox:Observable idref="mandiant:observable-d2337907-5f47-40a0-b52f-5d764b6dbf49"/> <cybox:Observable idref="mandiant:observable-1098380e-281b-4e66-be75-c614cc97ea40"/> <cybox:Observable idref="mandiant:observable-44686d0b-7211-4e71-866a-aa8006fe12d2"/> <cybox:Observable idref="mandiant:observable-abf4682a-d32d-4ae8-85be-97ae4e3728f0"/> <cybox:Observable idref="mandiant:observable-54faec0a-b2a7-4ea7-93ff-f3644eb1d8fb"/> <cybox:Observable idref="mandiant:observable-982e8250-4a6a-40c9-9264-324a62f3f41d"/> <cybox:Observable idref="mandiant:observable-c20a79fe-4ccd-410a-ad6f-0aa6e7339a08"/> <cybox:Observable idref="mandiant:observable-541ffaec-8c22-4e82-9446-24b49d3599ce"/> <cybox:Observable idref="mandiant:observable-1e4b6646-b454-4d33-be79-03246949326a"/> <cybox:Observable idref="mandiant:observable-06d294e5-8e21-4987-a717-c078fef58614"/> <cybox:Observable idref="mandiant:observable-d70f3afa-092f-4198-a97c-e60eeaa920e9"/> <cybox:Observable idref="mandiant:observable-da7098e0-928c-47ad-acdf-a5e0b31a2b9e"/> <cybox:Observable idref="mandiant:observable-d53a3508-d5bb-4210-bbc0-3a0189d4b976"/> <cybox:Observable idref="mandiant:observable-63dbd09a-2167-4f2c-a4eb-a59a5eb42fb1"/> <cybox:Observable idref="mandiant:observable-23372f15-d5d9-484a-a8b5-48f8a71cae9a"/> <cybox:Observable idref="mandiant:observable-d347c5aa-8573-45e9-b317-4cd48fb33309"/> <cybox:Observable idref="mandiant:observable-bb6a7d86-ccdc-49ad-a300-233466090cb3"/> <cybox:Observable idref="mandiant:observable-6ea1dc10-cf21-4bc9-9936-517e0372a2e9"/> <cybox:Observable idref="mandiant:observable-0eacc6b9-d3db-4732-bdea-c00c11c89584"/> <cybox:Observable idref="mandiant:observable-fc004b7b-ba76-4764-9f3d-d3aaa1b51487"/> <cybox:Observable idref="mandiant:observable-77baa40c-7ddb-4101-9b7b-46fd979b1a8f"/> <cybox:Observable idref="mandiant:observable-4ef42795-799a-4a7b-aef5-8b942034c6c6"/> <cybox:Observable idref="mandiant:observable-48a2a6d8-1393-4c20-be66-15b03dd4ca94"/> <cybox:Observable idref="mandiant:observable-3711ab1f-5879-4e86-8796-0226d7e9523e"/> <cybox:Observable idref="mandiant:observable-e8570a77-faaa-4422-a627-30707bf45c36"/> <cybox:Observable idref="mandiant:observable-54c18359-178d-4321-9479-b5037e24cc53"/> <cybox:Observable idref="mandiant:observable-35fa316a-2915-4435-aaeb-65717957bd6f"/> <cybox:Observable idref="mandiant:observable-1e2529c8-c4c7-4a1e-86d7-630842f293b1"/> <cybox:Observable idref="mandiant:observable-8dd5d3da-e922-4e58-83f5-66116f9d0551"/> <cybox:Observable idref="mandiant:observable-31d84c6d-d613-42e9-b1a6-72e6aaa78e94"/> <cybox:Observable idref="mandiant:observable-c5ea82b0-a991-4bc1-a2bf-061887d35b35"/> <cybox:Observable idref="mandiant:observable-9bd9ac90-53d3-437f-910c-af0e0b1e1ec5"/> <cybox:Observable idref="mandiant:observable-de49ae7e-db99-49ac-843d-4ec54d875b82"/> <cybox:Observable idref="mandiant:observable-4599bf78-645b-468f-96cd-5822961ae9aa"/> <cybox:Observable idref="mandiant:observable-2f723b94-d7a1-469a-b792-21a110150d8c"/> <cybox:Observable idref="mandiant:observable-1afa4b6c-0cbe-4a7a-93df-d33eac738ee7"/> <cybox:Observable idref="mandiant:observable-116d1a83-dfba-4e64-8c7b-c9048baa50f1"/> <cybox:Observable idref="mandiant:observable-6ff86f5e-3538-41c6-93e2-c3aa0760592a"/> <cybox:Observable idref="mandiant:observable-ddefd762-9036-479f-bfe9-d9c5fb85f982"/> <cybox:Observable idref="mandiant:observable-1deaf030-e074-4e3a-a788-45ae75a6e669"/> <cybox:Observable idref="mandiant:observable-51e62682-fd26-4ba9-8882-7585c5a8c359"/> <cybox:Observable idref="mandiant:observable-9873610d-551a-418d-855e-7710fcd64e3e"/> <cybox:Observable idref="mandiant:observable-3d56b7e9-ff8f-4318-aded-27ed8a7e763e"/> <cybox:Observable idref="mandiant:observable-54fbc385-ac96-45ca-9024-236bfc4945a7"/> <cybox:Observable idref="mandiant:observable-759928a9-9c42-4538-a7cd-172fcef91c1f"/> <cybox:Observable idref="mandiant:observable-f6b20d5f-888e-4b43-9cbd-605cc65d6f62"/> <cybox:Observable idref="mandiant:observable-1c9fb5fb-99d1-4f4b-ada3-11057790d1e8"/> <cybox:Observable idref="mandiant:observable-11eda4af-d518-4728-aeb9-486c7cd2fedf"/> <cybox:Observable idref="mandiant:observable-26941fc7-5dd5-4e01-93df-4e51e0e2f04f"/> <cybox:Observable idref="mandiant:observable-aca6b530-4ad9-4d02-818e-9f6e64f6459b"/> <cybox:Observable idref="mandiant:observable-8f9ef431-47f8-4c5b-a25e-20ea93fa1d64"/> <cybox:Observable idref="mandiant:observable-89fc07df-7c17-4c79-a831-f297fb1e2a87"/> <cybox:Observable idref="mandiant:observable-2e81bf63-45b0-4c8d-9ec9-f169a087a0ca"/> <cybox:Observable idref="mandiant:observable-a8eb1230-6797-4cf7-b823-163672a2b370"/> <cybox:Observable idref="mandiant:observable-a3dbe6c2-b51d-4207-a311-9e5a955bd833"/> <cybox:Observable idref="mandiant:observable-a818911e-297b-4324-aa6f-ac21ec319516"/> <cybox:Observable idref="mandiant:observable-a9086d69-1179-4517-b822-eb84b1658942"/> <cybox:Observable idref="mandiant:observable-0e7d60c6-e783-466d-8594-57c7b0848074"/> <cybox:Observable idref="mandiant:observable-c402b511-6782-40a1-a179-2e72b63c9b82"/> <cybox:Observable idref="mandiant:observable-da9072af-52c2-4305-a16c-e0db04c5d054"/> <cybox:Observable idref="mandiant:observable-12c520fe-2240-4383-9502-338e690862be"/> <cybox:Observable idref="mandiant:observable-5bb7a36f-9773-4ae3-913a-64feb2e8072b"/> <cybox:Observable idref="mandiant:observable-694be730-bf53-4f24-ae76-063d44d84eb2"/> <cybox:Observable idref="mandiant:observable-891409e0-b48b-4378-8135-5f2db3d67cbf"/> <cybox:Observable idref="mandiant:observable-1dd4e157-834b-4f9e-9d33-806646b95a90"/> <cybox:Observable idref="mandiant:observable-0d8f5c5b-5401-44cb-b795-20965c8e0706"/> <cybox:Observable idref="mandiant:observable-92428cd7-19a5-4cfb-a526-0d04495d950f"/> <cybox:Observable idref="mandiant:observable-a214cabc-6e30-4abb-b8b0-fbc37daf2658"/> <cybox:Observable idref="mandiant:observable-cd07b272-58ed-4b34-9b23-66c9a6c35410"/> <cybox:Observable idref="mandiant:observable-ba98e853-f69f-44b1-848b-0628b0cc6b02"/> <cybox:Observable idref="mandiant:observable-12b470cd-652e-4a54-8ed3-cdfd2a9627c8"/> <cybox:Observable idref="mandiant:observable-016b517b-d8a2-47d2-926f-1837ca649be1"/> <cybox:Observable idref="mandiant:observable-5d7e66e4-e185-4a2c-a85f-4883e059ba4b"/> <cybox:Observable idref="mandiant:observable-5fc3446a-a934-4c80-87f6-8005cdd9afaf"/> <cybox:Observable idref="mandiant:observable-ba698614-a29d-4fad-9a80-e31494c728ff"/> <cybox:Observable idref="mandiant:observable-effe17e2-3650-4f8d-84b8-b82bb331cf88"/> <cybox:Observable idref="mandiant:observable-741d2a1e-37cd-4450-bb15-96513fd642b6"/> <cybox:Observable idref="mandiant:observable-3e5ad28e-5bfa-4bb7-851f-42d14ccea030"/> <cybox:Observable idref="mandiant:observable-ba856a40-0074-41c1-819f-3cfbbca29a46"/> <cybox:Observable idref="mandiant:observable-4d84aaf2-0cfa-45b9-9b1b-b1f1ed00221e"/> <cybox:Observable idref="mandiant:observable-a4dfc9ad-d778-4574-ad9d-035765b9510b"/> <cybox:Observable idref="mandiant:observable-f2b6c13d-c933-41fe-b5e0-76b0245b5b59"/> <cybox:Observable idref="mandiant:observable-9e57ab75-f804-4c5f-bece-fe6d56a8db5e"/> <cybox:Observable idref="mandiant:observable-4d1bdd42-d9ec-459e-8e8f-2a8057b84d5c"/> <cybox:Observable idref="mandiant:observable-d13b55ac-b75c-4505-a7f2-1b57b56d6b06"/> <cybox:Observable idref="mandiant:observable-db8fef14-2efd-423f-8189-cc3d2152851c"/> <cybox:Observable idref="mandiant:observable-45a74b7f-786e-4381-9d14-63c1d6c1a84b"/> <cybox:Observable idref="mandiant:observable-61279900-2d22-456b-b146-3f5f25c5897e"/> <cybox:Observable idref="mandiant:observable-b5e5baf1-f5b5-4c57-9aeb-28ac618ed7ab"/> <cybox:Observable idref="mandiant:observable-23508af8-104d-401c-8390-5c241bea9bf4"/> <cybox:Observable idref="mandiant:observable-f42a0f08-4705-4ba4-893c-feee956ba888"/> <cybox:Observable idref="mandiant:observable-52484842-5bfa-4ae6-938f-f34bb535ac70"/> <cybox:Observable idref="mandiant:observable-28660aaf-40fc-4d95-b857-377940895049"/> <cybox:Observable idref="mandiant:observable-92f22fb9-d3d1-4341-b9f6-a7187f680788"/> <cybox:Observable idref="mandiant:observable-10265b2b-45f8-4173-ba5e-f7d0bfe8d3fa"/> <cybox:Observable idref="mandiant:observable-74672d8b-dd58-45f9-9aea-6d4c31fb944c"/> <cybox:Observable idref="mandiant:observable-ee50608f-9ab2-40e1-ae16-964c37e970c4"/> <cybox:Observable idref="mandiant:observable-d5ed1516-1969-4ac2-b5d1-331110658ef2"/> <cybox:Observable idref="mandiant:observable-99e5c689-7f37-4aff-a45f-c617e6b4a066"/> <cybox:Observable idref="mandiant:observable-c5bcdeb1-e953-4d4e-a703-608fd6cdff4a"/> <cybox:Observable idref="mandiant:observable-e04d55cb-4f79-4b61-8325-69996f9062e1"/> <cybox:Observable idref="mandiant:observable-940679c4-ec10-4eb5-9d21-20b12654b772"/> <cybox:Observable idref="mandiant:observable-29c98e79-163d-49ff-bbcb-3158835d45b6"/> <cybox:Observable idref="mandiant:observable-c282d42f-e81b-48cd-85fd-111d8a0a3099"/> <cybox:Observable idref="mandiant:observable-bdf28114-09ec-4b88-99e6-26a7e199b3f3"/> <cybox:Observable idref="mandiant:observable-3c38aa4c-e87a-4e2b-8a35-c6e78ffec8e7"/> <cybox:Observable idref="mandiant:observable-3f462f7c-f56e-46fb-b242-9ae949f66a6a"/> <cybox:Observable idref="mandiant:observable-d61d7c99-eec5-485a-be51-bd82a6991134"/> <cybox:Observable idref="mandiant:observable-824b99b0-6b88-419a-89ec-e218123bfcb4"/> <cybox:Observable idref="mandiant:observable-3c65469b-0378-4e57-b6d5-a43eec2c7b69"/> <cybox:Observable idref="mandiant:observable-fd76a869-3acd-4e5e-a4b9-26cead229768"/> <cybox:Observable idref="mandiant:observable-5981123c-be20-4852-bd80-53887bd6e1d0"/> <cybox:Observable idref="mandiant:observable-b3ba2153-dd85-498f-84cb-fce518db3d76"/> <cybox:Observable idref="mandiant:observable-01c0595d-90ae-4973-b1bb-f7a5bf4cc987"/> <cybox:Observable idref="mandiant:observable-72e103af-aa68-4a48-8deb-d7982a113a2e"/> <cybox:Observable idref="mandiant:observable-d1b2d48b-66f3-45ce-bf59-8ff8dfee1aa5"/> <cybox:Observable idref="mandiant:observable-ddff18bd-d45c-4066-a5e6-ee509c1f8ae4"/> <cybox:Observable idref="mandiant:observable-1ba25759-0637-4361-a2e6-e00f96108434"/> <cybox:Observable idref="mandiant:observable-15ec4e35-97de-4317-80ca-e29ab5690ea0"/> <cybox:Observable idref="mandiant:observable-c65de21f-c921-4ad6-8543-672db0ee4ad7"/> <cybox:Observable idref="mandiant:observable-cdc07416-dda9-4ee6-961d-eb395d8aa546"/> <cybox:Observable idref="mandiant:observable-ee7ba12a-de8b-4acb-a11c-f594d78a4a34"/> <cybox:Observable idref="mandiant:observable-b8771f22-f1d2-4463-ae74-88d73877ef19"/> <cybox:Observable idref="mandiant:observable-c5f09ac4-1660-4b6f-8937-33777c039842"/> <cybox:Observable idref="mandiant:observable-d01ff7bb-1c9d-4f2d-a2e3-93a2ae7c74a8"/> <cybox:Observable idref="mandiant:observable-104d1ce8-162c-455b-9b95-c9f6018ea13e"/> <cybox:Observable idref="mandiant:observable-ccd58757-ad49-4dc4-b512-11eca443e3be"/> <cybox:Observable idref="mandiant:observable-138cc173-f5bb-4c34-afae-990053f4cffd"/> <cybox:Observable idref="mandiant:observable-db75116b-1bf3-413e-a21c-ccf4688b7ff5"/> <cybox:Observable idref="mandiant:observable-1bdaae9c-3cb8-4e09-a694-f3afa52df863"/> <cybox:Observable idref="mandiant:observable-6b1dc651-19bc-4ad1-9e1b-74c5ce9cbc98"/> <cybox:Observable idref="mandiant:observable-83e1f85b-23fd-425e-93d9-bbc2c37c400e"/> <cybox:Observable idref="mandiant:observable-93bf23a9-e338-4ecf-8388-06126c4d3cd8"/> <cybox:Observable idref="mandiant:observable-aa6dea2a-9056-479f-88ef-b0a3cbeaa455"/> <cybox:Observable idref="mandiant:observable-4a0ce12a-e900-4c4d-99d6-4b122731c360"/> <cybox:Observable idref="mandiant:observable-df910c86-06cf-44ea-8185-8c0c96e81f8b"/> <cybox:Observable idref="mandiant:observable-abb7dbc2-f22e-4952-acf5-618febc53f4f"/> <cybox:Observable idref="mandiant:observable-30af6eea-cea6-4f14-b744-bf9a8f703f1a"/> <cybox:Observable idref="mandiant:observable-a372d9ff-4aaf-41d1-ba44-c6d033f505da"/> <cybox:Observable idref="mandiant:observable-bce74167-9b44-4df0-a39f-3a3c7277e83e"/> <cybox:Observable idref="mandiant:observable-cabd44e6-983a-4bca-a6fa-4c61fa033bdb"/> <cybox:Observable idref="mandiant:observable-0193b5d9-b3bc-4900-a590-862b975a239f"/> <cybox:Observable idref="mandiant:observable-6879a73c-c49b-4413-892c-499134f0114d"/> <cybox:Observable idref="mandiant:observable-d85d6ef0-4773-43a3-8e85-0216654f565f"/> <cybox:Observable idref="mandiant:observable-502db973-1af6-4bbb-a851-466c92105d2c"/> <cybox:Observable idref="mandiant:observable-8be65eaf-2d7c-4e62-9bfa-17d9fd775ee8"/> <cybox:Observable idref="mandiant:observable-4c462c80-0f77-4007-8f2d-a1f78c2afc81"/> <cybox:Observable idref="mandiant:observable-563bf0ce-e0ee-4340-b484-33ddf3f83eb5"/> <cybox:Observable idref="mandiant:observable-746cc7d0-76e2-43c5-ae3d-ff6620621228"/> <cybox:Observable idref="mandiant:observable-6b11ff12-d96c-4ae8-a2be-9fb5c59fa698"/> <cybox:Observable idref="mandiant:observable-f0677089-a8c4-467c-bfb5-5b3b07babdd2"/> <cybox:Observable idref="mandiant:observable-477c3d89-6041-4b2e-997d-f61a4a31c005"/> <cybox:Observable idref="mandiant:observable-c41366a8-2659-4319-bc47-09b215b7e8a4"/> <cybox:Observable idref="mandiant:observable-6b875024-ebe6-4ea9-8708-2ed280651413"/> <cybox:Observable idref="mandiant:observable-b4dcbe3f-63e6-42d5-b10e-3f2f3c999e8a"/> <cybox:Observable idref="mandiant:observable-976581b3-2c09-4da6-86cf-1b5546901bd6"/> <cybox:Observable idref="mandiant:observable-aa4a91e8-493d-4b0c-9c99-af4ef5336a8f"/> <cybox:Observable idref="mandiant:observable-c9215163-4611-4905-9288-4f7d732d3f55"/> <cybox:Observable idref="mandiant:observable-a4195997-7509-4b3f-b824-1d650217b5d2"/> <cybox:Observable idref="mandiant:observable-bb93c805-8268-467a-b4a2-64f40dfc1e23"/> <cybox:Observable idref="mandiant:observable-671043a6-7b1f-414f-983e-03352d8f30e0"/> <cybox:Observable idref="mandiant:observable-cd95c08b-d8bd-4889-b4f5-b189aa7fb825"/> <cybox:Observable idref="mandiant:observable-a6c4ff07-6162-431c-ab3f-be5f8bab5c8c"/> <cybox:Observable idref="mandiant:observable-e944fb78-bb15-4294-9480-17256f077d78"/> <cybox:Observable idref="mandiant:observable-64fdc9f8-7608-42db-9087-621fee4f55d0"/> <cybox:Observable idref="mandiant:observable-9ef95b84-db32-4ede-9140-656d6fb14e29"/> <cybox:Observable idref="mandiant:observable-dda930ae-86cf-4a57-85c3-2d7020e3fb9b"/> <cybox:Observable idref="mandiant:observable-851205be-9d18-44dc-8873-d3852894368d"/> <cybox:Observable idref="mandiant:observable-2625b006-e1bd-4f59-902e-9b9a9012424e"/> <cybox:Observable idref="mandiant:observable-15a688c1-a8f7-4656-9d3d-e7b7a677e85d"/> <cybox:Observable idref="mandiant:observable-f2bfc2f7-7b56-496e-9d9e-b33a5eb0e257"/> <cybox:Observable idref="mandiant:observable-5552cf1b-0cb8-486e-9f40-3ab0205d45eb"/> <cybox:Observable idref="mandiant:observable-011db5d9-e228-43d5-ae55-bc81bf98311c"/> <cybox:Observable idref="mandiant:observable-2d52025c-6954-41ac-8350-aa7574771ccc"/> <cybox:Observable idref="mandiant:observable-2f375642-db88-42fc-8394-00f58e27aa90"/> <cybox:Observable idref="mandiant:observable-f5c8c285-db9b-43c3-bcdb-44030d13e7bb"/> <cybox:Observable idref="mandiant:observable-aee33872-838c-48a9-9a65-87ea320d3ba0"/> <cybox:Observable idref="mandiant:observable-1dd90fa1-59f7-4561-a9a3-7cc8653488ee"/> <cybox:Observable idref="mandiant:observable-2a628575-8096-4a5c-bfce-ab3e3f6bff20"/> <cybox:Observable idref="mandiant:observable-ecc5e067-1ae0-413c-82f0-1a2faf521d06"/> <cybox:Observable idref="mandiant:observable-3f36b356-9c91-43aa-b829-96aa877064af"/> <cybox:Observable idref="mandiant:observable-58ae957b-fd63-4a25-912d-a8c1de6b6da8"/> <cybox:Observable idref="mandiant:observable-107c4f67-380f-4346-8cff-12ff38beff29"/> <cybox:Observable idref="mandiant:observable-3b90b833-c8d7-4ac5-bf2d-8f8c1e9e6393"/> <cybox:Observable idref="mandiant:observable-2153595f-b315-4b51-b5f9-362545a09116"/> <cybox:Observable idref="mandiant:observable-fa8b9841-e5a7-4a62-b963-cd2a010423c4"/> <cybox:Observable idref="mandiant:observable-a91a6c5d-2f12-439c-a4ca-7a815a8af6f4"/> <cybox:Observable idref="mandiant:observable-9f90a5ae-3d83-412a-926f-9e6286f39ada"/> <cybox:Observable idref="mandiant:observable-7d0cf1f1-d405-4899-8d4c-eedb4294619c"/> <cybox:Observable idref="mandiant:observable-235f4d5f-ac14-43bd-b339-2c10a1cba74c"/> <cybox:Observable idref="mandiant:observable-406bf6b6-5f28-4a0b-9d53-7965c71e90aa"/> <cybox:Observable idref="mandiant:observable-2856378e-1bc8-4803-8f38-d0a71c514b8a"/> <cybox:Observable idref="mandiant:observable-2e71e0ab-9698-4ea2-af45-3298d113d4ee"/> <cybox:Observable idref="mandiant:observable-ad323f66-7ce8-4e19-8be7-0512f116d904"/> <cybox:Observable idref="mandiant:observable-a3f38876-8b2e-41f4-ad4a-a888d8765396"/> <cybox:Observable idref="mandiant:observable-232f108f-4dd7-4125-a359-42b8211bda79"/> <cybox:Observable idref="mandiant:observable-0e1c72b5-3b5f-413a-a09f-8b10c427da94"/> <cybox:Observable idref="mandiant:observable-f8bf4f08-aa74-401c-b7cd-64258bcf842a"/> <cybox:Observable idref="mandiant:observable-e3c8c1c0-41f6-4e16-b84a-20d5a3704c68"/> <cybox:Observable idref="mandiant:observable-67832c9b-400f-4ef7-a937-c095bf005930"/> <cybox:Observable idref="mandiant:observable-ec09392d-30ec-499a-8d51-3740c3bb8977"/> <cybox:Observable idref="mandiant:observable-995c2b05-2ff3-4d72-9191-468685bc4083"/> <cybox:Observable idref="mandiant:observable-3bf8ddd5-ea93-4583-8315-6e7f541c0f25"/> <cybox:Observable idref="mandiant:observable-e1a3765f-07f0-452a-8c85-2a8f695d233e"/> <cybox:Observable idref="mandiant:observable-4c582b32-dd15-4846-bfd0-10849ea84b96"/> <cybox:Observable idref="mandiant:observable-8eaf6266-a888-44aa-8e99-2a5996800de6"/> <cybox:Observable idref="mandiant:observable-64d6efd1-9d30-43e5-b19d-5a566fe24e33"/> <cybox:Observable idref="mandiant:observable-ea553c08-c6b6-44d5-bc56-551272a5f02d"/> <cybox:Observable idref="mandiant:observable-b30a0d82-77ba-402d-b7ee-57bf5fcd3210"/> <cybox:Observable idref="mandiant:observable-2340c5fe-d2a9-4f76-9e7c-6e311434ecd1"/> <cybox:Observable idref="mandiant:observable-742493b6-9811-45db-98af-ec037cb8bec8"/> <cybox:Observable idref="mandiant:observable-266ccf83-4261-4cd1-94b2-c708e3cde982"/> <cybox:Observable idref="mandiant:observable-43394133-3171-4225-bf3f-4e54f5aa09cc"/> <cybox:Observable idref="mandiant:observable-a6782aed-077b-46c2-b353-b0bdac060e1c"/> <cybox:Observable idref="mandiant:observable-d5df9e4a-240a-4167-afcf-77904047b580"/> <cybox:Observable idref="mandiant:observable-d594ae76-2ea7-4e97-9c12-6c6fec436714"/> <cybox:Observable idref="mandiant:observable-988e9f00-1ca2-46dc-827b-c941b7b064c7"/> <cybox:Observable idref="mandiant:observable-22f5e5ee-a879-418c-8a93-68431d0820be"/> <cybox:Observable idref="mandiant:observable-23aa48b5-3860-4878-a577-e999f54db61b"/> <cybox:Observable idref="mandiant:observable-22b46407-6ff7-48e0-8fec-36198765d91c"/> <cybox:Observable idref="mandiant:observable-0dcfeba9-56b4-42ac-bc6e-9afe16141c14"/> <cybox:Observable idref="mandiant:observable-b815e8d1-0ee2-4487-9c10-b5fd3790901c"/> <cybox:Observable idref="mandiant:observable-4cc76b8d-04e8-4b1a-9e6e-ef766724ffab"/> <cybox:Observable idref="mandiant:observable-b2e338dc-bbb1-44ed-9e59-2731e237986f"/> <cybox:Observable idref="mandiant:observable-1ef89454-374e-412c-b0a7-6a6fda1c28d1"/> <cybox:Observable idref="mandiant:observable-e5f8c37b-65b1-4de2-aeed-149c90738052"/> <cybox:Observable idref="mandiant:observable-6c17777c-cf7c-47da-ae7f-7a68a33a3b52"/> <cybox:Observable idref="mandiant:observable-c39109a7-484f-4e82-9ee6-54407551d4dc"/> <cybox:Observable idref="mandiant:observable-d29a1aa7-d719-4494-8ccf-fd52ae9a6bce"/> <cybox:Observable idref="mandiant:observable-67f0c320-9f3b-4db4-a480-97284a4f3697"/> <cybox:Observable idref="mandiant:observable-7d01965d-d4fa-41a6-a085-93c853927b70"/> <cybox:Observable idref="mandiant:observable-b6679020-8901-43e3-8178-444bc67df5c3"/> <cybox:Observable idref="mandiant:observable-adc011ca-4091-43a8-8f9d-f7de0a482878"/> <cybox:Observable idref="mandiant:observable-1864f777-bdb1-4fb8-bc4d-7c02e6b05c40"/> <cybox:Observable idref="mandiant:observable-bbfaa6be-5d52-4e50-921c-6cf6ba19feea"/> <cybox:Observable idref="mandiant:observable-7320ff60-0357-4ec4-8039-12a6c15ef11f"/> <cybox:Observable idref="mandiant:observable-1237a856-97ed-4f3a-8247-66021139e0ce"/> <cybox:Observable idref="mandiant:observable-ac58fd01-8142-45a5-9e80-7193362ea4c0"/> <cybox:Observable idref="mandiant:observable-6e58b715-3ccb-439c-b52d-3e05e9628add"/> <cybox:Observable idref="mandiant:observable-01e68200-32c9-4ede-ab08-dadb78622d43"/> <cybox:Observable idref="mandiant:observable-c6a2a34d-c377-432b-ba6a-17c24b8fba9e"/> <cybox:Observable idref="mandiant:observable-8f9353f9-5455-49a8-a2c8-ab82fb50e13a"/> <cybox:Observable idref="mandiant:observable-b9f49549-e2d5-4a57-9cee-31dc460c6d61"/> <cybox:Observable idref="mandiant:observable-39bcba25-04ef-4085-8f25-7fa4fb851af4"/> <cybox:Observable idref="mandiant:observable-b5069f8e-f98f-4023-a8fd-c9f8e22ecce0"/> <cybox:Observable idref="mandiant:observable-075f433d-0494-43ba-b728-988d8258f8c9"/> <cybox:Observable idref="mandiant:observable-6a2bd203-34ac-44b4-afd9-1a36b3ccecf6"/> <cybox:Observable idref="mandiant:observable-a7bc9f0d-56cb-4563-bc1b-e140e602cf72"/> <cybox:Observable idref="mandiant:observable-d99875e3-2e4f-4cd0-87a1-b9c01bffb319"/> <cybox:Observable idref="mandiant:observable-d6d97470-7ba3-45d1-a47d-cec22a5e7127"/> <cybox:Observable idref="mandiant:observable-abba48fe-9d40-44b2-9c45-f104a23aad96"/> <cybox:Observable idref="mandiant:observable-5c2d0406-23b4-4e7c-aac5-2005bbf24476"/> <cybox:Observable idref="mandiant:observable-0af3a04c-ec24-477d-a66c-bb4294c8c04c"/> <cybox:Observable idref="mandiant:observable-c289bfec-8828-4e95-8ab8-76826afbd6a5"/> <cybox:Observable idref="mandiant:observable-86212698-a237-41d2-8f60-4c2dcf0b5504"/> <cybox:Observable idref="mandiant:observable-fcdccb0a-c867-4f14-ba94-c1a2e21da423"/> <cybox:Observable idref="mandiant:observable-3ceeb576-730b-46c7-978d-a14c53d8eecf"/> <cybox:Observable idref="mandiant:observable-e38947bf-8ad0-46eb-902e-6bba805eb1c4"/> <cybox:Observable idref="mandiant:observable-e1d4b562-5eed-4bbc-a46e-5f8601b707d5"/> <cybox:Observable idref="mandiant:observable-aa61b320-9f15-44db-b258-50c70b1dc9be"/> <cybox:Observable idref="mandiant:observable-4b47e6a7-8ea3-4dd6-b2cb-ae81bc1b34be"/> <cybox:Observable idref="mandiant:observable-ff7ba23f-cbbd-4cb2-b38a-69d537149ede"/> <cybox:Observable idref="mandiant:observable-f256b4cc-da34-47fd-ac26-0a9ea37beeb8"/> <cybox:Observable idref="mandiant:observable-e3102e66-7434-42b0-a0c7-a885c0d0c776"/> <cybox:Observable idref="mandiant:observable-59f243bc-817f-4d2b-9ca6-c3720e6cd19d"/> <cybox:Observable idref="mandiant:observable-60ebd784-a5d9-4a07-99ca-8c6cfa5cae49"/> <cybox:Observable idref="mandiant:observable-d845fd40-b501-4abd-bd5f-8f5489b967fb"/> <cybox:Observable idref="mandiant:observable-6d5a329b-8eb4-4f9d-9a50-3c9daaa1f6dc"/> <cybox:Observable idref="mandiant:observable-57874f70-3316-4391-a138-6670cd7199ff"/> <cybox:Observable idref="mandiant:observable-6c938702-2897-471a-8dcf-bbcba461ddf5"/> <cybox:Observable idref="mandiant:observable-0873a202-81e5-4558-98fb-2135116c11de"/> <cybox:Observable idref="mandiant:observable-b9e94bd8-3f1b-4fb5-a872-b0b941450091"/> <cybox:Observable idref="mandiant:observable-ae13ea96-242a-4257-8b2b-29246951cbeb"/> <cybox:Observable idref="mandiant:observable-e53f6059-c079-4fb2-a032-aab87404f472"/> <cybox:Observable idref="mandiant:observable-21f21534-d37e-4309-a349-500e5e3b3e76"/> <cybox:Observable idref="mandiant:observable-013bfa26-7131-483c-a482-bd7ba4c3f2b2"/> <cybox:Observable idref="mandiant:observable-e3453288-e183-4442-a1ea-9c9fbda12df0"/> <cybox:Observable idref="mandiant:observable-79c61b66-082d-4d30-bafd-3f158fd79bc1"/> <cybox:Observable idref="mandiant:observable-8b27ec1c-e84a-4154-9e8c-83db21293eff"/> <cybox:Observable idref="mandiant:observable-482d80c8-9f63-41c6-a77e-58022b4d72ce"/> <cybox:Observable idref="mandiant:observable-c9f2c97a-d563-46fb-936e-3c7a60afa8c6"/> <cybox:Observable idref="mandiant:observable-c44845ef-f727-4e3d-8c4c-0912bc197dc8"/> <cybox:Observable idref="mandiant:observable-09c111ba-6d61-478c-bcc1-35895d0f8f55"/> <cybox:Observable idref="mandiant:observable-bf6662c5-dd5b-4fb0-acfc-b802a2625843"/> <cybox:Observable idref="mandiant:observable-c9c1844f-52a9-4c31-b146-36a412efa812"/> <cybox:Observable idref="mandiant:observable-9ca96c25-f428-4e0b-821a-b79f96cfef31"/> <cybox:Observable idref="mandiant:observable-6c126c3b-10de-41e8-8771-e19dd5e08216"/> <cybox:Observable idref="mandiant:observable-9a35ae88-657f-4d17-a3b4-24ab2c431b9f"/> <cybox:Observable idref="mandiant:observable-d5b8426d-d3dc-4472-af8b-5de756754fb9"/> <cybox:Observable idref="mandiant:observable-9453a5ae-4a32-49a2-a126-f02a2f199d86"/> <cybox:Observable idref="mandiant:observable-a46890cd-0547-4896-91f2-9be7c932c03e"/> <cybox:Observable idref="mandiant:observable-b1cc9530-8f56-45bb-b946-33996df735e0"/> <cybox:Observable idref="mandiant:observable-e70825c8-f40f-4074-8eab-706528fb57a4"/> <cybox:Observable idref="mandiant:observable-8cca6a84-4be2-4990-ae4b-3d8c799712b1"/> <cybox:Observable idref="mandiant:observable-dd1e0af7-97b2-48ec-b096-1da579987940"/> <cybox:Observable idref="mandiant:observable-66fc18f1-5bb3-4b0b-8e16-0d6634567a91"/> <cybox:Observable idref="mandiant:observable-a11449dd-8dea-4997-88a5-57a7815eaec1"/> <cybox:Observable idref="mandiant:observable-ad056220-959c-43a3-9e13-e0069d60e741"/> <cybox:Observable idref="mandiant:observable-f92259e5-740f-4ba5-9f34-a2bfbc25b38a"/> <cybox:Observable idref="mandiant:observable-deb9172e-0195-4900-a952-251a5982fe10"/> <cybox:Observable idref="mandiant:observable-60d71b38-1bb4-40e8-8a09-7a3325e5f6d3"/> <cybox:Observable idref="mandiant:observable-543b862d-20a0-4ddd-bf50-730d14794a17"/> <cybox:Observable idref="mandiant:observable-3a9e4b9f-ac93-4bf2-ba34-86c09270c779"/> <cybox:Observable idref="mandiant:observable-dfd4c462-94cc-457d-b93d-51284a42f00f"/> <cybox:Observable idref="mandiant:observable-547535a3-8d8e-4a5a-826c-978f86c38abc"/> <cybox:Observable idref="mandiant:observable-7a6e0eae-26e3-49fd-8612-208bf903c3f1"/> <cybox:Observable idref="mandiant:observable-c39ab5e4-4523-4190-8b6f-61644a226259"/> <cybox:Observable idref="mandiant:observable-54c1ce11-02ee-40ca-8c76-5f1e06a97ec5"/> <cybox:Observable idref="mandiant:observable-7acdc274-2791-435b-b0c3-e969c6afadbd"/> <cybox:Observable idref="mandiant:observable-f0509b94-ea0a-42c2-9a43-f02a27d87364"/> <cybox:Observable idref="mandiant:observable-1a30f225-911a-4acf-ac17-57a8182f53a4"/> <cybox:Observable idref="mandiant:observable-b4e62d91-92e2-4f51-a8ce-57e666f88222"/> <cybox:Observable idref="mandiant:observable-90797ae1-4b08-46ae-b910-69fb9d68387d"/> <cybox:Observable idref="mandiant:observable-d7e82ff8-5c31-4e30-b498-0743e5c3bf57"/> <cybox:Observable idref="mandiant:observable-eb2159d6-c97a-48c5-a72b-5c722dfceba6"/> <cybox:Observable idref="mandiant:observable-c3d02108-1bd0-4004-a837-26cdb2613514"/> <cybox:Observable idref="mandiant:observable-0c74c9f2-f4e8-40ef-b3ed-ba334f8d90f5"/> <cybox:Observable idref="mandiant:observable-3b975e54-055e-4898-bab4-924386d95602"/> <cybox:Observable idref="mandiant:observable-726d364f-c99b-4b39-99fc-93bf0bfadfaa"/> <cybox:Observable idref="mandiant:observable-8de3ccee-3f41-4792-9fda-4dfe3e8b60b9"/> <cybox:Observable idref="mandiant:observable-6c66736d-98dd-4a9e-9161-0ef06daa1418"/> <cybox:Observable idref="mandiant:observable-7e966924-f0e0-492c-aa2e-a3df31a0f6c8"/> <cybox:Observable idref="mandiant:observable-eb591111-aba4-4daa-941f-d58d55c9d05a"/> <cybox:Observable idref="mandiant:observable-1e45003a-afa4-445d-87e8-9cf9c4d797b7"/> <cybox:Observable idref="mandiant:observable-a78f87f8-e80d-488f-92e4-61345d003058"/> <cybox:Observable idref="mandiant:observable-61322e9d-1845-49dd-8011-36b73a6cc97b"/> <cybox:Observable idref="mandiant:observable-ac0668a3-2f35-4119-abe1-eb8cbbfe3b44"/> <cybox:Observable idref="mandiant:observable-a8cbfc21-a3eb-4bde-a685-a0f1e5ea2a5e"/> <cybox:Observable idref="mandiant:observable-b003b81f-58fa-4d3a-a149-f20a987dbf81"/> <cybox:Observable idref="mandiant:observable-bb1b6053-253e-47f2-af14-bbb5584acee0"/> <cybox:Observable idref="mandiant:observable-67831879-a87e-4ed3-b410-af2d3190aad8"/> <cybox:Observable idref="mandiant:observable-969f2799-1c38-4a57-b00f-30680ad1474d"/> <cybox:Observable idref="mandiant:observable-b3c89c5b-0588-41a4-9e99-0d223bbe0043"/> <cybox:Observable idref="mandiant:observable-eae43782-fdbd-4af9-9483-1cef334fc95f"/> <cybox:Observable idref="mandiant:observable-9e89610f-6237-42cd-8d4a-ec3239eed773"/> <cybox:Observable idref="mandiant:observable-fdf1edff-ce6f-4481-87d9-a7856db3edf4"/> <cybox:Observable idref="mandiant:observable-4254f78c-b1a6-4259-9375-0a08b3f6f0d9"/> <cybox:Observable idref="mandiant:observable-ae01e667-05df-46d9-9e88-28be9e6f8987"/> <cybox:Observable idref="mandiant:observable-b063a250-8baf-4a76-ae59-be117722fe44"/> <cybox:Observable idref="mandiant:observable-2ee42f88-4abc-4e9b-be34-8a6a12118312"/> <cybox:Observable idref="mandiant:observable-ce82121f-ed9a-4547-a1cd-58dc5aab5d7e"/> <cybox:Observable idref="mandiant:observable-bd7de4ce-a919-4346-9fcd-3913b2a6c704"/> <cybox:Observable idref="mandiant:observable-2a434183-70dd-45ab-b559-94bbd86da2a1"/> <cybox:Observable idref="mandiant:observable-fd0e3b02-30f2-4009-a904-2778f8d4d2d9"/> <cybox:Observable idref="mandiant:observable-1037388b-59f1-4e4d-88de-a48cfde1f528"/> <cybox:Observable idref="mandiant:observable-58794dea-47d1-42ce-a362-54886bd93a06"/> <cybox:Observable idref="mandiant:observable-6b2bd2c6-fe89-41c8-ada0-fe460773cfc8"/> <cybox:Observable idref="mandiant:observable-8afd245b-da29-4682-bce9-6e559f10398e"/> <cybox:Observable idref="mandiant:observable-8860ddfb-79c0-443a-a7d6-bb1dde02d8d3"/> <cybox:Observable idref="mandiant:observable-a30e7405-19ee-4e22-915c-cd086583820b"/> <cybox:Observable idref="mandiant:observable-39570278-1742-49e8-8621-08c160bd6190"/> <cybox:Observable idref="mandiant:observable-e6f22710-6cad-4a43-a4b1-43e5c1e9e4f7"/> <cybox:Observable idref="mandiant:observable-24481fe5-4bd0-4a6b-8ed9-af76d7f951c2"/> <cybox:Observable idref="mandiant:observable-7f7ae7ac-2648-407f-9a35-ab01e0c60f28"/> <cybox:Observable idref="mandiant:observable-171f1310-70e2-4a89-abb7-97b9ebffbaf1"/> <cybox:Observable idref="mandiant:observable-51717d97-5ea0-4b1c-a587-3b79b830a4ab"/> <cybox:Observable idref="mandiant:observable-a277c190-aa06-43b5-9d91-bec23be44b0a"/> <cybox:Observable idref="mandiant:observable-006bfdc9-b5ec-41fe-8f56-b9da46952db6"/> <cybox:Observable idref="mandiant:observable-5dbd6994-6619-4b36-8834-6ab44b492e9a"/> <cybox:Observable idref="mandiant:observable-01eea5a1-0159-4488-b4a0-9f831145674b"/> <cybox:Observable idref="mandiant:observable-ae3cf14e-3fdf-4f13-a659-c07ad3e592cf"/> <cybox:Observable idref="mandiant:observable-c1d91812-c5e5-4ec3-9489-6ebef62dab2e"/> <cybox:Observable idref="mandiant:observable-fa7e328c-ebb8-4681-9c53-2fb0e20321de"/> <cybox:Observable idref="mandiant:observable-3b5fe187-58a5-4897-a335-37f1193ccb8a"/> <cybox:Observable idref="mandiant:observable-7359cdd0-ab54-46b5-8907-7ca8cd972127"/> <cybox:Observable idref="mandiant:observable-931a94fe-1d78-4a8d-a8cb-4d2c5f869067"/> <cybox:Observable idref="mandiant:observable-5f304b83-aa6e-492b-bc4a-f61fe8dce5b9"/> <cybox:Observable idref="mandiant:observable-1ba67c3d-c6ef-46ec-b38e-17b031680d47"/> <cybox:Observable idref="mandiant:observable-d287fcd5-2554-48dc-ba28-e5a5ce9944bd"/> <cybox:Observable idref="mandiant:observable-49392184-f0bc-46eb-a73d-242f1eb2a7b1"/> <cybox:Observable idref="mandiant:observable-d4805982-be75-4135-8745-0a8ff3f3b6fd"/> <cybox:Observable idref="mandiant:observable-8a2e9a48-b639-46f9-95a0-f9555491d464"/> <cybox:Observable idref="mandiant:observable-cc7d886a-6029-4024-a9c0-34f4e628e6af"/> <cybox:Observable idref="mandiant:observable-df53106c-1345-4621-91bf-561c1ba9a1d1"/> <cybox:Observable idref="mandiant:observable-2ec036c0-6d37-4da0-81d1-afa391b08e29"/> <cybox:Observable idref="mandiant:observable-78457191-42df-4f1f-9aa5-86e8dec6c27e"/> <cybox:Observable idref="mandiant:observable-ef2d888e-970a-4e01-9471-be05f7c65629"/> <cybox:Observable idref="mandiant:observable-0d9c5aa6-7fc4-4557-864d-a45e13ac7d9e"/> <cybox:Observable idref="mandiant:observable-6a1f12ac-e74a-4c2b-b7f0-dab357718c4a"/> <cybox:Observable idref="mandiant:observable-0f231d6b-482d-4ec8-abac-11560a6bd0ec"/> <cybox:Observable idref="mandiant:observable-5804edfb-9cff-4f6b-8fb8-958e93e51075"/> <cybox:Observable idref="mandiant:observable-91aa6ab0-4665-4079-991d-8752ee107e2a"/> <cybox:Observable idref="mandiant:observable-ed289b6f-5ff7-4f8a-bfcf-314c6d622e9f"/> <cybox:Observable idref="mandiant:observable-c438a0fc-bcf9-4ec2-984d-ef45da0754bd"/> <cybox:Observable idref="mandiant:observable-f1782637-48a1-45b7-b8ee-6e4b18a16d9e"/> <cybox:Observable idref="mandiant:observable-4afe37a4-f505-4ccb-8c93-ec6b267493c1"/> <cybox:Observable idref="mandiant:observable-8c062a7f-7bc9-4b73-96f2-3bcb99d7e887"/> <cybox:Observable idref="mandiant:observable-bc69c00c-3fca-4dc0-9b9e-c4346a190869"/> <cybox:Observable idref="mandiant:observable-a4506c4a-d5f1-4ba9-b4e7-1d6a1bc07ef8"/> <cybox:Observable idref="mandiant:observable-075e4622-1bd9-41ec-8311-c7b53e3fa0cb"/> <cybox:Observable idref="mandiant:observable-509b8871-ae2f-4272-b53b-b15ef75ccc69"/> <cybox:Observable idref="mandiant:observable-fd65f08c-427d-47de-9de5-7a3b95a03cef"/> <cybox:Observable idref="mandiant:observable-585179e6-9df5-4056-a530-d0b61828be5c"/> <cybox:Observable idref="mandiant:observable-e8473edc-4f1b-4595-bfe6-36baa5f384e7"/> <cybox:Observable idref="mandiant:observable-1eccf7a7-5f43-43c6-a044-7a2081956cba"/> <cybox:Observable idref="mandiant:observable-ae9ca65d-c110-4faf-9838-e4459267bd6d"/> <cybox:Observable idref="mandiant:observable-f05bd155-ab39-4426-801f-292b8846537f"/> <cybox:Observable idref="mandiant:observable-e19d5499-b305-443f-8d78-48ea3a94e2be"/> <cybox:Observable idref="mandiant:observable-192897db-af6b-457b-8ee6-6623e1d67c04"/> <cybox:Observable idref="mandiant:observable-32d59174-8af2-47d0-ad8c-e70b2e0fe98f"/> <cybox:Observable idref="mandiant:observable-2b40d825-a824-4c10-be36-79a78aa565ae"/> <cybox:Observable idref="mandiant:observable-93cabc49-f7ec-49df-a76b-ffa513e60f11"/> <cybox:Observable idref="mandiant:observable-9604e409-31d1-415a-9de8-28ae43b742a6"/> <cybox:Observable idref="mandiant:observable-8847fb0b-9aba-4566-98b5-ecd0ddac90b2"/> <cybox:Observable idref="mandiant:observable-fbca176e-559e-4f3c-aff4-d0ca1f86fc84"/> <cybox:Observable idref="mandiant:observable-40e1893f-d2c4-48be-b82e-86a639cd118b"/> <cybox:Observable idref="mandiant:observable-4a4ef845-eb78-40b2-ba62-085dd7aa2ba7"/> <cybox:Observable idref="mandiant:observable-ea804d1c-bea8-4cd0-bf18-21803cdc3bea"/> <cybox:Observable idref="mandiant:observable-aa1efaca-16e9-4e11-ac3b-7a76485428e6"/> <cybox:Observable idref="mandiant:observable-4309d7f0-d428-40bf-9ccc-f57bd5ec5c15"/> <cybox:Observable idref="mandiant:observable-c13a3970-9d13-4076-8051-3c95bc6d4654"/> <cybox:Observable idref="mandiant:observable-927e6047-70dc-4555-95a8-6bf87d180699"/> <cybox:Observable idref="mandiant:observable-5cb7cf7a-6525-4527-98bd-c23d406e8344"/> <cybox:Observable idref="mandiant:observable-ad2d7118-d7b6-43ab-87f5-e4e5da4998f2"/> <cybox:Observable idref="mandiant:observable-316de897-a537-40a5-92d6-c8d39d01e369"/> <cybox:Observable idref="mandiant:observable-00954932-3781-4dde-8b56-49b07c138769"/> <cybox:Observable idref="mandiant:observable-a0fb19d9-ae52-497b-a458-6b813ef0e61c"/> <cybox:Observable idref="mandiant:observable-84fd5ae0-8950-49d6-9146-0084dcb325b3"/> <cybox:Observable idref="mandiant:observable-0f9d600b-a0fb-4365-85e9-cde0ff7a8764"/> <cybox:Observable idref="mandiant:observable-f3829e1c-ecec-4417-8d7f-ca2ee9e2340c"/> <cybox:Observable idref="mandiant:observable-d4c4f19d-f4cf-42f5-b992-afcf265abead"/> <cybox:Observable idref="mandiant:observable-96156a9a-30f4-4c37-801f-0eeab2b36a1b"/> <cybox:Observable idref="mandiant:observable-ecc8b9aa-f0d4-4c20-93b5-b187027bea87"/> <cybox:Observable idref="mandiant:observable-6118837d-342e-4e35-b33d-659cf490bf21"/> <cybox:Observable idref="mandiant:observable-480c1386-9e4c-46aa-9f1e-a085471ce68f"/> <cybox:Observable idref="mandiant:observable-e715daf3-6105-4523-9482-c1a8c5e0f3ef"/> <cybox:Observable idref="mandiant:observable-f5bf8270-d823-4b2c-a4cb-3db5bbc86e60"/> <cybox:Observable idref="mandiant:observable-63198f99-b40b-4b0a-a081-74bdb013b900"/> <cybox:Observable idref="mandiant:observable-1565b3aa-e4bc-413f-a6fd-124549f717de"/> <cybox:Observable idref="mandiant:observable-fd10f311-93b1-458c-8dab-c87fe3459604"/> <cybox:Observable idref="mandiant:observable-607c5240-a2f0-47cb-bbf6-41d7645d5a08"/> <cybox:Observable idref="mandiant:observable-0b4afa3d-b0d7-4048-a2fd-cfff23620215"/> <cybox:Observable idref="mandiant:observable-79394e6b-e5a9-4781-9564-ac02885bdac4"/> <cybox:Observable idref="mandiant:observable-9c903320-a055-42e2-87f2-5d9bed5e7c88"/> <cybox:Observable idref="mandiant:observable-2094bbd3-ad99-43ce-bf7c-889c2a8c2418"/> <cybox:Observable idref="mandiant:observable-fa65ea27-a51c-48b3-8443-adf11911b9e5"/> <cybox:Observable idref="mandiant:observable-4472c6c0-67a5-4ec3-8b92-32b3a5feb2ba"/> <cybox:Observable idref="mandiant:observable-b0da821a-5158-4932-9d17-6b9a2741ea42"/> <cybox:Observable idref="mandiant:observable-09c12648-0ba6-457f-906c-50c06c8ccc2f"/> <cybox:Observable idref="mandiant:observable-b5b1888f-0a8f-465e-b4c7-584ae6abd91e"/> <cybox:Observable idref="mandiant:observable-4a69f184-ffc1-4954-9088-c65885210f12"/> <cybox:Observable idref="mandiant:observable-3cb5b75d-fef6-4f87-b54a-6211681e6a17"/> <cybox:Observable idref="mandiant:observable-ceb77e2b-3bbc-4df9-80a2-0af64730db50"/> <cybox:Observable idref="mandiant:observable-6905fe9f-e540-4163-8949-c93766ab7fa1"/> <cybox:Observable idref="mandiant:observable-439bc68a-8b73-4144-a278-6394ae2cd3ec"/> <cybox:Observable idref="mandiant:observable-64ced20c-d90a-4cf7-b56b-22f9cee399b1"/> <cybox:Observable idref="mandiant:observable-a5bd1885-c9e3-485e-97ff-8bad5ac2a019"/> <cybox:Observable idref="mandiant:observable-e0d96356-a782-4a50-b27f-885aef4dc2cb"/> <cybox:Observable idref="mandiant:observable-e478b685-9cd4-4c72-810d-6c5083baaf1e"/> <cybox:Observable idref="mandiant:observable-ba448443-530d-43e5-bddc-22b67729b558"/> <cybox:Observable idref="mandiant:observable-7bd52e8a-4fba-440b-a37a-966154ea923c"/> <cybox:Observable idref="mandiant:observable-68818743-99a5-4a86-9169-0203287e95cd"/> <cybox:Observable idref="mandiant:observable-3073f4f3-afc7-44ec-9db4-c3f01d8f2d7b"/> <cybox:Observable idref="mandiant:observable-bfb57e09-9afc-41d2-9220-9b5929713be7"/> <cybox:Observable idref="mandiant:observable-6f828f74-3e9a-482f-9793-c63022c5767f"/> <cybox:Observable idref="mandiant:observable-90fe8a13-a795-496e-9f8b-eb1bb8700b2c"/> <cybox:Observable idref="mandiant:observable-400a5360-8a95-46dc-8ee6-6fe7adb660e9"/> <cybox:Observable idref="mandiant:observable-bc4dfd12-d672-4fab-9132-b55a3c6d4ac5"/> <cybox:Observable idref="mandiant:observable-a1c9a5b8-5ed1-4b09-833a-11374857a2b6"/> <cybox:Observable idref="mandiant:observable-e6366973-065a-4b16-96c3-65fe63516c92"/> <cybox:Observable idref="mandiant:observable-df9e93cf-78a2-4237-97fb-d0059f7e67d0"/> <cybox:Observable idref="mandiant:observable-6bc4d8fc-f0b6-450e-8c02-3303a2651d05"/> <cybox:Observable idref="mandiant:observable-5c6db611-de7f-4071-93a2-d595d3c76007"/> <cybox:Observable idref="mandiant:observable-5448f210-c950-4dfe-8e78-ac71cd039027"/> <cybox:Observable idref="mandiant:observable-6f7a2020-2697-40d9-b21e-cc3fef4aa00c"/> <cybox:Observable idref="mandiant:observable-26fd253a-1ad5-4d8b-a82f-2b216f57ff69"/> <cybox:Observable idref="mandiant:observable-bb8b77e4-6f6a-4a65-8b00-dff78daae9c8"/> <cybox:Observable idref="mandiant:observable-7e8b335f-0b64-47ba-88d8-ea1dce36434b"/> <cybox:Observable idref="mandiant:observable-6d795759-4f91-481e-b703-916562a66e38"/> <cybox:Observable idref="mandiant:observable-e3781e40-e361-4242-9103-6041cd237b74"/> <cybox:Observable idref="mandiant:observable-5a539f71-bae5-431f-b1d2-257d6e336a73"/> <cybox:Observable idref="mandiant:observable-2e1db2cb-cd4e-449d-a781-b64099ddc80f"/> <cybox:Observable idref="mandiant:observable-98b7cc6e-a2b9-45ac-b649-fb727f776d4e"/> <cybox:Observable idref="mandiant:observable-64704b56-5cbe-460d-b1c7-cfd5a563c7be"/> <cybox:Observable idref="mandiant:observable-059c4f3a-8904-4098-8e80-53498e22d5db"/> <cybox:Observable idref="mandiant:observable-d86bf4e1-7aa8-40c4-a3e0-9dabb7d11499"/> <cybox:Observable idref="mandiant:observable-9815b953-8d3a-467f-a6c7-a9ae09a2a854"/> <cybox:Observable idref="mandiant:observable-f7af9381-5d0a-4016-ac9c-cfb0202fead9"/> <cybox:Observable idref="mandiant:observable-504afe0f-f5ce-4fa5-a455-8f606460d146"/> <cybox:Observable idref="mandiant:observable-ee9a4b38-02f8-4d6b-829e-0f4847cb1bc1"/> <cybox:Observable idref="mandiant:observable-fbddb631-4962-45ca-a475-e89b9bd23035"/> <cybox:Observable idref="mandiant:observable-5d516439-8d06-4276-bcc7-979cedd88ad3"/> <cybox:Observable idref="mandiant:observable-76070a38-8e25-416a-a923-48bf21bf78cc"/> <cybox:Observable idref="mandiant:observable-b86c6d5d-7d65-4465-b7b2-7e14dee9ceac"/> <cybox:Observable idref="mandiant:observable-26e65acb-3669-4e4b-8c7f-3199503b4782"/> <cybox:Observable idref="mandiant:observable-d7d17a34-79a7-4fb8-83ee-cc644f714d73"/> <cybox:Observable idref="mandiant:observable-f325e850-af17-48b8-9d63-93d566b4921d"/> <cybox:Observable idref="mandiant:observable-e721a677-95eb-4108-8234-4c6759828160"/> <cybox:Observable idref="mandiant:observable-33617a49-d597-413b-bc42-bc2f236b8151"/> <cybox:Observable idref="mandiant:observable-6d5607d4-78ec-4f19-b409-e9bf720c59f7"/> <cybox:Observable idref="mandiant:observable-2eae3162-26d1-4d5d-8996-5d0a72622bd7"/> <cybox:Observable idref="mandiant:observable-4f79f0bc-4158-4655-86a5-f1124fc98ec3"/> <cybox:Observable idref="mandiant:observable-f2734f96-48de-467b-a208-afe9a7ce5627"/> <cybox:Observable idref="mandiant:observable-08c29e42-37b4-4ccf-8a30-42de9cf10c99"/> <cybox:Observable idref="mandiant:observable-40975d2a-84d4-45e5-88cb-4edbcc603dd2"/> <cybox:Observable idref="mandiant:observable-8489fa8e-7307-49d1-8c9e-b18f80ed1293"/> <cybox:Observable idref="mandiant:observable-69b8a457-a26b-461c-ab0b-96804c2f1225"/> <cybox:Observable idref="mandiant:observable-30b15d42-1341-4e09-b316-40a04761c43d"/> <cybox:Observable idref="mandiant:observable-c774aebb-f8e6-44df-ae9c-f880a569b26f"/> <cybox:Observable idref="mandiant:observable-830ba94d-c674-4e12-8081-407fc389addf"/> <cybox:Observable idref="mandiant:observable-6333732c-4657-4958-835c-36daca9af6ed"/> <cybox:Observable idref="mandiant:observable-b07056d6-e131-434c-9af3-74368fc71510"/> <cybox:Observable idref="mandiant:observable-e2677e17-1963-4179-b898-1de300cf27cf"/> <cybox:Observable idref="mandiant:observable-76af7981-e44c-4490-a615-260ab230a49e"/> <cybox:Observable idref="mandiant:observable-c473ff23-c8cb-42c3-9a8a-a940fcf4b5c1"/> <cybox:Observable idref="mandiant:observable-9c1f6d11-e8cf-4b4f-b606-a564cd97f6d8"/> <cybox:Observable idref="mandiant:observable-e3ac4faf-98bd-4dba-8b93-f50e5d3b1172"/> <cybox:Observable idref="mandiant:observable-755d1883-a0c5-44d4-ab7c-39e2ec3fd652"/> <cybox:Observable idref="mandiant:observable-f855af0a-b1ad-46e0-bc0e-277487a85b10"/> <cybox:Observable idref="mandiant:observable-6d1a3f22-3ac3-4aa0-b79e-7def175feb45"/> <cybox:Observable idref="mandiant:observable-2cb3e45d-cd9f-47a0-8835-56a44d25772e"/> <cybox:Observable idref="mandiant:observable-c30bad26-dbc2-4973-90ca-0cca523d8d1f"/> <cybox:Observable idref="mandiant:observable-c6c6738d-7fbe-493e-92d4-7e5b109e7f1c"/> <cybox:Observable idref="mandiant:observable-c6aff098-b912-455f-b82e-94a86ebe03d9"/> <cybox:Observable idref="mandiant:observable-a44c88fc-776f-456a-857d-e2743c0c1fea"/> <cybox:Observable idref="mandiant:observable-89f1b209-555b-4d70-a20a-2175c9a37675"/> <cybox:Observable idref="mandiant:observable-70707d0d-ccb6-43d8-97fd-35213053ad58"/> <cybox:Observable idref="mandiant:observable-c347c361-b4e8-481c-8b60-cbc68f653995"/> <cybox:Observable idref="mandiant:observable-f55a68e0-97af-4121-85ee-8b23feb6f29a"/> <cybox:Observable idref="mandiant:observable-a3c79f50-830f-4dc8-9a16-eef39da3de28"/> <cybox:Observable idref="mandiant:observable-f8d46e9a-c9d4-4670-8ef4-783ef90a1a7c"/> <cybox:Observable idref="mandiant:observable-c4e9f524-7b23-4fb5-811c-ff5509b39cef"/> <cybox:Observable idref="mandiant:observable-6e42dc99-1133-4272-86a1-15df3f321894"/> <cybox:Observable idref="mandiant:observable-5b78b277-0803-4c51-98fc-ae8be7137ad0"/> <cybox:Observable idref="mandiant:observable-a3e02563-7734-4a6f-a862-44da86216a5d"/> <cybox:Observable idref="mandiant:observable-d871da09-7aa9-45e2-82e0-337091965a78"/> <cybox:Observable idref="mandiant:observable-f5e529a5-1060-462d-a9a9-5b0557dfb725"/> <cybox:Observable idref="mandiant:observable-fbc61ac5-4068-4991-944f-e67d2cddb450"/> <cybox:Observable idref="mandiant:observable-f3686bbb-05ad-4b39-a841-954e68bdee52"/> <cybox:Observable idref="mandiant:observable-6f1d0d6d-c088-44c0-98c4-7d55d0d3f26f"/> <cybox:Observable idref="mandiant:observable-f9e82296-0e4e-41be-8521-0a00db0673d0"/> <cybox:Observable idref="mandiant:observable-470dfadb-8598-4cd3-9590-79f90990d336"/> <cybox:Observable idref="mandiant:observable-cb47ec14-afd2-4279-bdb4-1d50313417e2"/> <cybox:Observable idref="mandiant:observable-049d6404-9e41-40e2-ac1a-cee70614ba11"/> <cybox:Observable idref="mandiant:observable-f17913a8-dd0f-45c6-9d35-46aa12027e52"/> <cybox:Observable idref="mandiant:observable-7ae0904e-0c1b-4edd-abe2-4530f1f9805f"/> <cybox:Observable idref="mandiant:observable-41cbafda-9421-4906-981d-755ab6e2dbd6"/> <cybox:Observable idref="mandiant:observable-dcc93edb-8b87-4aa6-b575-ecf5b6a6bca8"/> <cybox:Observable idref="mandiant:observable-3bba770a-9c1c-4549-b365-7f87e6a085b4"/> <cybox:Observable idref="mandiant:observable-493a31bb-eeff-42f6-b431-092d4b671c73"/> <cybox:Observable idref="mandiant:observable-474a5de6-98dd-4d75-855a-644a00f3e503"/> <cybox:Observable idref="mandiant:observable-b66e553d-40f6-41e0-8650-d369b1b5f1fa"/> <cybox:Observable idref="mandiant:observable-f1b414e8-33a0-4b0b-a277-3dfe614507da"/> <cybox:Observable idref="mandiant:observable-ef237e9b-e7e6-4247-a161-6c022117ec38"/> <cybox:Observable idref="mandiant:observable-c2bb85ee-a51e-4f66-8f99-cef724ce674a"/> <cybox:Observable idref="mandiant:observable-7cdeed2e-3ac5-4c2b-a9bc-1a4844bc0e33"/> <cybox:Observable idref="mandiant:observable-c9aaa5c9-f78e-4c89-9ffc-92e5505e681f"/> <cybox:Observable idref="mandiant:observable-329c1481-806a-4d9a-808d-e9af0c8cae88"/> <cybox:Observable idref="mandiant:observable-b4e1239a-763e-452c-bf85-dccfe33808c8"/> <cybox:Observable idref="mandiant:observable-83e63fa0-c005-4a03-a0de-1078f44a7c1f"/> <cybox:Observable idref="mandiant:observable-b146b5e8-c04f-4123-bc7b-edf4cb9eabe6"/> <cybox:Observable idref="mandiant:observable-4c3c445c-15f5-45a4-b217-f22704f4ed8a"/> <cybox:Observable idref="mandiant:observable-9c4ed6da-dfa1-4175-9cc6-66d8b6afbcfa"/> <cybox:Observable idref="mandiant:observable-b7357a94-7643-409a-835a-fc62b2f48ace"/> <cybox:Observable idref="mandiant:observable-8d9733d2-42ba-4e05-888b-14207129b441"/> <cybox:Observable idref="mandiant:observable-8523db29-989c-467c-9381-687812c2f1c3"/> <cybox:Observable idref="mandiant:observable-a2bd125b-601b-4d22-8b3b-d1683a08038b"/> <cybox:Observable idref="mandiant:observable-678bd135-d0cf-4e03-aaa0-e99df146301d"/> <cybox:Observable idref="mandiant:observable-91a03df2-d857-4ad2-97ad-3da1f760e57b"/> <cybox:Observable idref="mandiant:observable-1339f61d-cefb-439a-8ef3-0023d642ee35"/> <cybox:Observable idref="mandiant:observable-4fc2a0a8-6643-430e-a732-400596bf484b"/> <cybox:Observable idref="mandiant:observable-2cb48a12-7126-426e-ba71-939082a4513d"/> <cybox:Observable idref="mandiant:observable-6c92db0d-d72b-4efa-999a-9b21ca39a30a"/> <cybox:Observable idref="mandiant:observable-900ac2e8-159b-4ff2-875a-6413b7e39033"/> <cybox:Observable idref="mandiant:observable-aa0b5b1e-79b3-4b33-b2a5-440e4fb1d84a"/> <cybox:Observable idref="mandiant:observable-cf6c29ee-7466-4c54-9dfd-5d9242a67584"/> <cybox:Observable idref="mandiant:observable-b09fe8fc-790f-4e45-9a0c-dcaf88df1380"/> <cybox:Observable idref="mandiant:observable-cfcc75f6-0fcf-4046-ae45-7e2963e8c2fe"/> <cybox:Observable idref="mandiant:observable-4646ce95-63f7-4e9c-ac28-8178ca526e7d"/> <cybox:Observable idref="mandiant:observable-5809d567-79d0-40e4-8dfe-0474a3e0af58"/> <cybox:Observable idref="mandiant:observable-14557f7d-bedc-4722-8798-5ca8d88ae46c"/> <cybox:Observable idref="mandiant:observable-97929c8b-7dab-4004-a1de-0d6d49e2aca5"/> <cybox:Observable idref="mandiant:observable-ea0db72c-9809-487d-a72b-cbdad623497a"/> <cybox:Observable idref="mandiant:observable-232a1e95-18af-4ed1-afcf-53c8e51a31e2"/> <cybox:Observable idref="mandiant:observable-a0af6b2b-7b7a-41e3-a532-106a6bbe8068"/> <cybox:Observable idref="mandiant:observable-4ecee824-7a09-4905-8a03-d1d77e31ef98"/> <cybox:Observable idref="mandiant:observable-b7df8f63-0e68-4545-9608-49db64dc842a"/> <cybox:Observable idref="mandiant:observable-865dc2e5-3c94-4862-a9b7-3c44fc0fb16e"/> <cybox:Observable idref="mandiant:observable-e7ff6c13-a488-4c9a-8110-97fa63b1bd1e"/> <cybox:Observable idref="mandiant:observable-a0be44a8-8140-4f5b-a0aa-d165bd5b6c15"/> <cybox:Observable idref="mandiant:observable-8e424f3a-0c4b-4650-b157-a6656050a401"/> <cybox:Observable idref="mandiant:observable-a48c9093-ab8e-4001-a381-013299bbefc1"/> <cybox:Observable idref="mandiant:observable-ca714746-cd7b-4d9d-9698-913df4ebc11d"/> <cybox:Observable idref="mandiant:observable-17565c08-0d52-45da-86d6-4d2b784e00e4"/> <cybox:Observable idref="mandiant:observable-851ea564-2c94-4620-b15c-3f9d76f02a74"/> <cybox:Observable idref="mandiant:observable-9017943d-196c-4858-923d-dffcebd77bf6"/> <cybox:Observable idref="mandiant:observable-feaf6521-3217-48f9-b2e3-8a3e465fe764"/> <cybox:Observable idref="mandiant:observable-b1ebe4ef-4f07-4e17-a1eb-5d371baec782"/> <cybox:Observable idref="mandiant:observable-75d8211b-d323-4b7b-a6a9-b37eb6dcf9e5"/> <cybox:Observable idref="mandiant:observable-c5772131-a3ab-4680-9fd1-784c452e045c"/> <cybox:Observable idref="mandiant:observable-c97e7b64-7ab6-46e8-bae1-9740ebd2624d"/> <cybox:Observable idref="mandiant:observable-71e7258d-3bd9-4e8e-8be8-1a98765f0223"/> <cybox:Observable idref="mandiant:observable-a708371e-4f3e-4e91-bb1d-35d0ce21b866"/> <cybox:Observable idref="mandiant:observable-af49aaa4-20e0-4d53-8c5b-ef0ef0e2faad"/> <cybox:Observable idref="mandiant:observable-106e85c9-31cf-4805-b69b-e32d9770acca"/> <cybox:Observable idref="mandiant:observable-c97a502a-1674-4f08-8a5f-3b1f90ad8381"/> <cybox:Observable idref="mandiant:observable-bb7b444f-3c8f-4f6e-9551-315d3dc75a9c"/> <cybox:Observable idref="mandiant:observable-d2554707-192f-4f1e-8f4a-caa41d2c9db5"/> <cybox:Observable idref="mandiant:observable-1cd3f828-f29f-43c6-80b5-5564ac64e24e"/> <cybox:Observable idref="mandiant:observable-e5ab65e1-6116-4dc4-8838-11d79b05317f"/> <cybox:Observable idref="mandiant:observable-2c4d7c13-218b-42a3-9883-7755bd88ced1"/> <cybox:Observable idref="mandiant:observable-87b5674b-3f4a-4a1a-a583-c363caf0844a"/> <cybox:Observable idref="mandiant:observable-a6addc82-4546-40f4-9e2c-1838b8abe6d2"/> <cybox:Observable idref="mandiant:observable-441d6825-81cb-46a2-b5fd-50733dea2336"/> <cybox:Observable idref="mandiant:observable-b76feb62-b32e-426e-9110-9f8759417ce3"/> <cybox:Observable idref="mandiant:observable-b8d2eb7c-f294-4040-8077-246b13d59a63"/> <cybox:Observable idref="mandiant:observable-553117f8-bd7c-4aa0-914a-6377de0f3463"/> <cybox:Observable idref="mandiant:observable-3c791684-0fc8-4bea-a715-10d8ae67cc19"/> <cybox:Observable idref="mandiant:observable-d05fa418-b565-44c7-ae55-b9cf7cf00cb7"/> <cybox:Observable idref="mandiant:observable-53db6475-a3ea-4afd-a3ee-c19b0b9d6a58"/> <cybox:Observable idref="mandiant:observable-f2f0494e-c4b3-4349-ba9b-b97727f7f79b"/> <cybox:Observable idref="mandiant:observable-d6ef728a-e155-4323-9a74-6be5710fa548"/> <cybox:Observable idref="mandiant:observable-3ea0215a-6b3d-4a2f-b782-4a75ef23a07a"/> <cybox:Observable idref="mandiant:observable-73319afd-e722-4ac4-a163-6d3d4c1bcf15"/> <cybox:Observable idref="mandiant:observable-0c29ca36-997a-4d5b-9a10-5927b5359231"/> <cybox:Observable idref="mandiant:observable-82573a72-d55b-44af-abbb-bbf832d45fa6"/> <cybox:Observable idref="mandiant:observable-fb13b7ac-aab0-4fe5-8858-bccd055d9b90"/> <cybox:Observable idref="mandiant:observable-196599a8-1153-431b-96f7-fe9ef358d268"/> <cybox:Observable idref="mandiant:observable-198e1c60-b090-47dc-a38f-bb7524d14397"/> <cybox:Observable idref="mandiant:observable-24f6b24b-9d09-4690-be1b-06459464dd60"/> <cybox:Observable idref="mandiant:observable-eae9116e-675d-4590-af90-435206d5e280"/> <cybox:Observable idref="mandiant:observable-6c1ffc0d-09dd-438c-917b-e7d2224a7238"/> <cybox:Observable idref="mandiant:observable-c5a8b6e5-74c5-491a-81a9-3d08f61c8697"/> <cybox:Observable idref="mandiant:observable-d51048c3-30f6-490e-83f7-eb2df1e87a41"/> <cybox:Observable idref="mandiant:observable-7e84c04a-6f3d-41d0-a130-5bed5cd04520"/> <cybox:Observable idref="mandiant:observable-2727239c-d01c-437c-a7e3-2940b1fafed4"/> <cybox:Observable idref="mandiant:observable-c523c024-241d-4cc9-9b85-37c86be82a20"/> <cybox:Observable idref="mandiant:observable-ff7636d0-a8c6-42da-ab0e-39157ed18d0e"/> <cybox:Observable idref="mandiant:observable-b548d814-ad9c-4194-9972-b7d4bb357171"/> <cybox:Observable idref="mandiant:observable-ebca2297-71eb-41ae-9ed0-082400a4f867"/> <cybox:Observable idref="mandiant:observable-82cf46bf-bfbd-4569-b211-fe00bafbad8c"/> <cybox:Observable idref="mandiant:observable-b05ac8bd-8653-4313-87ac-8cf0ecd1fd52"/> <cybox:Observable idref="mandiant:observable-707b6b73-3139-429c-821d-134dfd260c96"/> <cybox:Observable idref="mandiant:observable-f1dd09ad-62f2-46b0-98fb-f9cafb77af1f"/> <cybox:Observable idref="mandiant:observable-dbbc43f7-f85e-45e1-b9b9-581208823275"/> <cybox:Observable idref="mandiant:observable-559b6918-c898-4778-9215-3f21039fd44a"/> <cybox:Observable idref="mandiant:observable-3711a61a-bc46-4ad8-aafa-17f9318b5010"/> <cybox:Observable idref="mandiant:observable-2df54931-2584-47e8-81f4-82058940b2e5"/> <cybox:Observable idref="mandiant:observable-905eacc6-46e0-4a70-947d-d7ca8e43e3e4"/> <cybox:Observable idref="mandiant:observable-639f8281-4437-48ed-9f4a-1c6f5e6eeff7"/> <cybox:Observable idref="mandiant:observable-814200f0-af78-4719-a82f-341dfa71ee57"/> <cybox:Observable idref="mandiant:observable-16c597e8-4b94-4edb-938f-0810e9ef2690"/> <cybox:Observable idref="mandiant:observable-0740cb32-98d1-489c-9c55-fcb686453f8a"/> <cybox:Observable idref="mandiant:observable-cac202fa-8555-433d-8023-5f79fcfc03a4"/> <cybox:Observable idref="mandiant:observable-8c293eb7-075b-4104-bbc0-41a76cea08be"/> <cybox:Observable idref="mandiant:observable-b2282f60-b90a-44ee-91cb-59f0f0b962ec"/> <cybox:Observable idref="mandiant:observable-053ecb99-8eb1-4e92-8fd0-1d8154375268"/> <cybox:Observable idref="mandiant:observable-807e98db-f7b4-418a-aed6-72dc19f05d76"/> <cybox:Observable idref="mandiant:observable-c8645b0c-d8bc-4ff6-80bd-71a2de3a0bb9"/> <cybox:Observable idref="mandiant:observable-6d5c7154-48eb-4792-baf2-e6d91f6cf36d"/> <cybox:Observable idref="mandiant:observable-bb66a3f5-f29d-4d55-b732-338fb1b701b5"/> <cybox:Observable idref="mandiant:observable-2672fb23-8070-4b6e-ba51-383087900160"/> <cybox:Observable idref="mandiant:observable-76c4f060-bd17-4e8d-aae1-4d70dd565d78"/> <cybox:Observable idref="mandiant:observable-bcbcaa06-a184-4c65-aa5f-74ab8be16212"/> <cybox:Observable idref="mandiant:observable-5d051b62-04bc-4b61-8670-425f975bf378"/> <cybox:Observable idref="mandiant:observable-7d5b5ff3-41be-4d24-9c3e-c7723c1ae807"/> <cybox:Observable idref="mandiant:observable-036dffea-62da-41c1-bf3f-5367d5bf536a"/> <cybox:Observable idref="mandiant:observable-cf7ef16f-a838-4e17-a21f-551c7c737858"/> <cybox:Observable idref="mandiant:observable-75929f3b-081f-4df0-b464-f1f256a609dc"/> <cybox:Observable idref="mandiant:observable-4fa8838e-2668-4081-a83a-fb91d8cce1a8"/> <cybox:Observable idref="mandiant:observable-b56bbb81-0344-4b4f-9d12-60765bc45bf9"/> <cybox:Observable idref="mandiant:observable-bb141ed4-e569-4ba2-a0dd-be481088d1fd"/> <cybox:Observable idref="mandiant:observable-e3d10dac-f42b-41a2-828d-c7f0df2ab24d"/> <cybox:Observable idref="mandiant:observable-4f52d963-743e-444d-885c-1222938a1849"/> <cybox:Observable idref="mandiant:observable-5f1e9bb3-2072-4dc9-bd51-175e75500e08"/> <cybox:Observable idref="mandiant:observable-3165b381-f361-47e5-bfa2-6254b9a95f92"/> <cybox:Observable idref="mandiant:observable-353086f3-f7d6-439f-8a7c-b7bf83ec4e10"/> <cybox:Observable idref="mandiant:observable-dc71ba29-82d1-494a-aedd-2f21a089406d"/> <cybox:Observable idref="mandiant:observable-22587830-8355-4949-bac1-effe145e45c8"/> <cybox:Observable idref="mandiant:observable-73f9e853-feb8-49e1-9373-c442800a3882"/> <cybox:Observable idref="mandiant:observable-f303cf23-b998-4fff-8b0f-dd427b93b00d"/> <cybox:Observable idref="mandiant:observable-c0a9f30b-42c6-489c-a1a6-d68fb32d5741"/> <cybox:Observable idref="mandiant:observable-d4cc4757-d9a0-4e3d-a9e5-93fdda1328bd"/> <cybox:Observable idref="mandiant:observable-5d96e91a-e8af-4279-aff8-f7ee1035b553"/> <cybox:Observable idref="mandiant:observable-28e36290-156b-472b-8697-1fd83214f159"/> <cybox:Observable idref="mandiant:observable-c5bacb83-ed6a-449f-8435-aaa14829020d"/> <cybox:Observable idref="mandiant:observable-fba246d4-63a9-44d8-b683-7a8873edab4b"/> <cybox:Observable idref="mandiant:observable-7cd0d0f3-629d-4d23-9be6-f0e87ac83de4"/> <cybox:Observable idref="mandiant:observable-a1ea4b28-4641-4d32-b3d9-77e88596e1e3"/> <cybox:Observable idref="mandiant:observable-25fe922f-8c85-4036-8b66-4c0a14035066"/> <cybox:Observable idref="mandiant:observable-83b80c37-dc92-4520-ab62-244cdeabeb9d"/> <cybox:Observable idref="mandiant:observable-2a32d815-3b5d-426e-b75d-1fa9d6669b19"/> <cybox:Observable idref="mandiant:observable-794fb4a0-ea6a-482f-9e0d-d247c8685518"/> <cybox:Observable idref="mandiant:observable-5a2d6053-025b-46c2-b34e-3393d058a54a"/> <cybox:Observable idref="mandiant:observable-db42b8c8-8970-455b-893f-984bcd429fa5"/> <cybox:Observable idref="mandiant:observable-fe942121-30ee-48a0-ac71-ffb77fa9419b"/> <cybox:Observable idref="mandiant:observable-d1269ce0-b8ce-4687-a57d-e912eb453a87"/> <cybox:Observable idref="mandiant:observable-73d21b20-8517-4c34-80d2-aab23275ffdb"/> <cybox:Observable idref="mandiant:observable-f6d336e8-8698-425c-bb52-39a177c16abc"/> <cybox:Observable idref="mandiant:observable-820cd5fe-38fc-46bd-8b8e-1e54123fc4c8"/> <cybox:Observable idref="mandiant:observable-16c32e93-5328-4c6e-b3d3-033276ceb53e"/> <cybox:Observable idref="mandiant:observable-31dabc58-f045-439c-8ca1-7a4cc5de75f1"/> <cybox:Observable idref="mandiant:observable-9a222096-0778-45ed-9f1b-97097308d772"/> <cybox:Observable idref="mandiant:observable-b02ded2c-f824-4146-a3f1-e6fc5f6c5599"/> <cybox:Observable idref="mandiant:observable-42542bca-6c09-4f4b-a2e5-b54d69062a84"/> <cybox:Observable idref="mandiant:observable-17942e46-f4cc-4f97-a68b-24388656b57a"/> <cybox:Observable idref="mandiant:observable-be3d5ade-520e-421f-a09b-d65dd3346ada"/> <cybox:Observable idref="mandiant:observable-01bce683-12e0-4566-aae4-8f819bfb4d6f"/> <cybox:Observable idref="mandiant:observable-c1bb4fad-f3f0-4d7a-861d-c4302e4b1f37"/> <cybox:Observable idref="mandiant:observable-7d002204-b850-4193-92d3-3016e95d59d1"/> <cybox:Observable idref="mandiant:observable-31268200-df2e-4252-8359-ae7a90433cc5"/> <cybox:Observable idref="mandiant:observable-fce682eb-b3e1-4d38-a42e-2de5eec1c850"/> <cybox:Observable idref="mandiant:observable-69718092-b9ee-45a9-822c-1eaa4a997d39"/> <cybox:Observable idref="mandiant:observable-f0aeffcd-c53d-4176-8b7d-7018c848bf6f"/> <cybox:Observable idref="mandiant:observable-b771e7b8-6f7a-4f66-8714-faf593b28b7e"/> <cybox:Observable idref="mandiant:observable-024dd82e-75ed-4574-8ca0-9c55c63e354b"/> <cybox:Observable idref="mandiant:observable-3179c759-84f6-46ca-8143-82908ebc34cd"/> <cybox:Observable idref="mandiant:observable-ef39982f-d403-4c7a-a1ba-5c598ecc8dcc"/> <cybox:Observable idref="mandiant:observable-a68353b7-e572-4766-87f9-09b5e5428fe5"/> <cybox:Observable idref="mandiant:observable-459bd1d1-b0e4-446a-931a-3471c2dd1718"/> <cybox:Observable idref="mandiant:observable-c4703fed-7e16-4d10-a9df-0edbe18fbe1c"/> <cybox:Observable idref="mandiant:observable-a19e1652-b5fd-4c7b-a201-0bdfa1bba90f"/> <cybox:Observable idref="mandiant:observable-28ad0026-1864-4eaf-96fe-3029613345f5"/> <cybox:Observable idref="mandiant:observable-b73a948f-25cf-4b6f-90bf-a5224d7edadf"/> <cybox:Observable idref="mandiant:observable-b61c3c5f-e034-47d8-bcba-c84628799458"/> <cybox:Observable idref="mandiant:observable-60f513ab-f989-41c1-b7a6-14338b505108"/> <cybox:Observable idref="mandiant:observable-24cbc42a-3990-4270-b87c-2e14ffeb17cb"/> <cybox:Observable idref="mandiant:observable-f8a37975-06eb-48f6-9ff1-72891d974715"/> <cybox:Observable idref="mandiant:observable-cdbac038-6f51-42ec-96c3-ae1bb9b0ca68"/> <cybox:Observable idref="mandiant:observable-b224b921-23c9-4cc5-968c-0f31e1a9fe53"/> <cybox:Observable idref="mandiant:observable-0600e80a-95a5-4849-abf4-f5b0f037b3a3"/> <cybox:Observable idref="mandiant:observable-8528458b-c27e-4539-87d0-740419f90bc6"/> <cybox:Observable idref="mandiant:observable-c9b8eaf1-5f27-4f7d-89fe-d34c7f5ac6f9"/> <cybox:Observable idref="mandiant:observable-4a1bbbc9-7936-40d6-bb12-ae6d0ebbef1c"/> <cybox:Observable idref="mandiant:observable-e37f6f41-81e5-41cd-b3e1-4472636750eb"/> <cybox:Observable idref="mandiant:observable-dabfafb0-f038-4c46-bae4-72c9b2c47ace"/> <cybox:Observable idref="mandiant:observable-f9ae4070-21a5-4c49-bd11-ed725122736f"/> <cybox:Observable idref="mandiant:observable-6a89b4c0-718d-4f6c-bbb2-0cfaa81360d6"/> <cybox:Observable idref="mandiant:observable-eff16361-6bcb-487f-b12f-7c7524975aa9"/> <cybox:Observable idref="mandiant:observable-055e7e38-b434-481e-827d-d46104055c40"/> <cybox:Observable idref="mandiant:observable-86a57228-9fe8-4ea9-952c-2bd01b4d79cd"/> <cybox:Observable idref="mandiant:observable-c412bc98-8edc-424b-9416-33c7011bf3b8"/> <cybox:Observable idref="mandiant:observable-8a2f5ff2-237c-4e45-835f-95b757469ed1"/> <cybox:Observable idref="mandiant:observable-3ff255fd-4cf6-4155-aaf5-de033933493e"/> <cybox:Observable idref="mandiant:observable-3409584e-e89d-4b18-8f81-c0f3a96a22b6"/> <cybox:Observable idref="mandiant:observable-271340f5-a56b-4651-950f-ffc9e77c0ca0"/> <cybox:Observable idref="mandiant:observable-b2dd815f-0016-4240-b831-7c3190aa3c0d"/> <cybox:Observable idref="mandiant:observable-d74d9b5b-58d3-4ef4-a818-c83695a2a7af"/> <cybox:Observable idref="mandiant:observable-03f0423f-c6db-4ac4-9b57-319d43ecfb99"/> <cybox:Observable idref="mandiant:observable-f2b0f996-240f-4c98-84e1-795a91af6157"/> <cybox:Observable idref="mandiant:observable-4fcc4a24-31f0-4de9-b404-19a84e785839"/> <cybox:Observable idref="mandiant:observable-0d6bc525-8980-40eb-b177-25199a431e05"/> <cybox:Observable idref="mandiant:observable-ad26d135-7c06-444c-bd9c-148152936129"/> <cybox:Observable idref="mandiant:observable-ad2b7f76-8999-4855-be06-95fe7333eab7"/> <cybox:Observable idref="mandiant:observable-f9691ac4-b7a6-4a68-8ab5-ca6d45166fca"/> <cybox:Observable idref="mandiant:observable-3168aba4-6246-44d6-a79a-cd6b067f41ad"/> <cybox:Observable idref="mandiant:observable-8fdb58e5-116a-41ff-a7d2-46e56f9439c5"/> <cybox:Observable idref="mandiant:observable-949db1fa-fc0c-41d9-90c9-ca9314c654ab"/> <cybox:Observable idref="mandiant:observable-b5419754-1d7e-4e0d-ba79-061896bf8389"/> <cybox:Observable idref="mandiant:observable-e105b49f-391e-45e7-86dd-eb2d8087e30d"/> <cybox:Observable idref="mandiant:observable-a931fac9-3d66-4f67-a96b-eac1d080a898"/> <cybox:Observable idref="mandiant:observable-40fe973a-354a-440c-9c01-793d25556721"/> <cybox:Observable idref="mandiant:observable-ccddc305-d691-4be8-9c78-333e2a036daf"/> <cybox:Observable idref="mandiant:observable-80081b94-7df9-4aef-8137-73e0c2c8eefc"/> <cybox:Observable idref="mandiant:observable-ca97b6b3-ae36-479e-b7ff-9363f3169447"/> <cybox:Observable idref="mandiant:observable-6610f26a-8c07-477c-9fa1-21dfd3050f15"/> <cybox:Observable idref="mandiant:observable-42d0ed40-0e93-4624-b28a-2f1e02b71c71"/> <cybox:Observable idref="mandiant:observable-549b908d-4d7c-42cb-bb21-ad2ca1c313fd"/> <cybox:Observable idref="mandiant:observable-f59fdba5-77be-4958-8488-a5e7a476a21c"/> <cybox:Observable idref="mandiant:observable-a7eb94d7-36d5-4b3e-b15c-905cfe3440f0"/> <cybox:Observable idref="mandiant:observable-f30a28b5-289b-44a4-a057-6bb48b209b50"/> <cybox:Observable idref="mandiant:observable-e2a7d3c7-66e0-436c-b7ff-6dda4a2d182b"/> <cybox:Observable idref="mandiant:observable-c98fb076-c73c-4339-9e81-1603d71c14cb"/> <cybox:Observable idref="mandiant:observable-ca8a127b-c365-4406-bb58-d965f17d3072"/> <cybox:Observable idref="mandiant:observable-de622043-d18d-4570-9c41-785e1f926d04"/> <cybox:Observable idref="mandiant:observable-69e791a7-621c-47fe-84d0-8c7c3c4c5539"/> <cybox:Observable idref="mandiant:observable-f2b05d1a-ef70-47ae-bb16-0972c5673db8"/> <cybox:Observable idref="mandiant:observable-abe084a6-95c9-4e2e-b50c-48634b049e8d"/> <cybox:Observable idref="mandiant:observable-d091bd18-9d30-4a5a-b73f-4e5686c7c61f"/> <cybox:Observable idref="mandiant:observable-9a0d7892-fe69-4f2b-b8b5-6bf1459adbf0"/> <cybox:Observable idref="mandiant:observable-0339701e-b944-4d36-a744-1a2d1dc4984a"/> <cybox:Observable idref="mandiant:observable-efa91ffd-9547-45e5-8f43-830b30630826"/> <cybox:Observable idref="mandiant:observable-71d2a49a-782a-4cec-8706-9d637847c256"/> <cybox:Observable idref="mandiant:observable-37423a2a-23ec-4836-bc6c-e91e3bbbc139"/> <cybox:Observable idref="mandiant:observable-12571590-08e0-4061-b6d1-eb491408217c"/> <cybox:Observable idref="mandiant:observable-b254ec57-2b1f-415e-9b4a-d0fa1824ec89"/> <cybox:Observable idref="mandiant:observable-d749c083-a4f7-40cc-8c67-28ac66e114d1"/> <cybox:Observable idref="mandiant:observable-e6799d98-6e76-4b67-add5-543c27b1ce11"/> <cybox:Observable idref="mandiant:observable-031173b9-3d67-4eb0-a9b2-cb0309e1d4ea"/> <cybox:Observable idref="mandiant:observable-10e80b2c-58ec-4ee0-94ed-dab861d672f3"/> <cybox:Observable idref="mandiant:observable-2c8d7578-f766-410c-bafa-ad6b2c465d5b"/> <cybox:Observable idref="mandiant:observable-e7727486-09ce-4567-9500-3ab2d7314def"/> <cybox:Observable idref="mandiant:observable-8e383de5-dc05-41ba-bb1a-237d315752fc"/> <cybox:Observable idref="mandiant:observable-27c0377b-ae5d-47d8-b7b4-369a5e19d96e"/> <cybox:Observable idref="mandiant:observable-a3d15fc1-a35a-4427-a3d7-f2f32da400cb"/> <cybox:Observable idref="mandiant:observable-9d71ef02-d837-42d5-9697-01909ef67497"/> <cybox:Observable idref="mandiant:observable-2be3fe72-f623-4db7-8546-37a789c51737"/> <cybox:Observable idref="mandiant:observable-7d0a3622-cb89-4387-98df-46cce2c03eae"/> <cybox:Observable idref="mandiant:observable-ac970ae5-b767-4853-bc68-56e6902ac774"/> <cybox:Observable idref="mandiant:observable-ebdb3df3-a53c-4df9-bf81-abe1d85058bd"/> <cybox:Observable idref="mandiant:observable-5236ded3-932e-400d-9941-07da6e92de13"/> <cybox:Observable idref="mandiant:observable-998d432c-ea3a-4483-8c2d-90fbcb6aace6"/> <cybox:Observable idref="mandiant:observable-95907c16-e72e-4a13-916a-57d216ca5ba9"/> <cybox:Observable idref="mandiant:observable-8cc362ec-5bf7-4829-9374-35ab06631eea"/> <cybox:Observable idref="mandiant:observable-f5a213e2-e862-4ba8-8f1c-03d5a8d150a0"/> <cybox:Observable idref="mandiant:observable-cfee9e99-7cf0-410c-a733-6d5955e9fc73"/> <cybox:Observable idref="mandiant:observable-d8911b27-17cf-4264-9a51-68d111a56068"/> <cybox:Observable idref="mandiant:observable-61a03b1e-0e29-4636-b0e1-491b9cf40561"/> <cybox:Observable idref="mandiant:observable-ced89bd9-a6cb-48b0-b401-b76a5b3f95cd"/> <cybox:Observable idref="mandiant:observable-fa8df09e-f458-4392-b8e2-733500f31483"/> <cybox:Observable idref="mandiant:observable-f9951faf-1de8-4b86-927a-a800b7537245"/> <cybox:Observable idref="mandiant:observable-fd457d34-2778-4cbe-978e-c95a7aa8dfba"/> <cybox:Observable idref="mandiant:observable-a7134924-b7a0-4f1c-b818-4e38f2c2f63d"/> <cybox:Observable idref="mandiant:observable-2238b0c8-37b7-49a9-83e4-4f1861409940"/> <cybox:Observable idref="mandiant:observable-1e6db3c7-b93a-43e7-ae3d-dc44910f0c5b"/> <cybox:Observable idref="mandiant:observable-031beb4a-f30c-4bb4-950f-99c9a762691f"/> <cybox:Observable idref="mandiant:observable-15526961-181e-4767-81c1-22e7f5d0444c"/> <cybox:Observable idref="mandiant:observable-54e1cfa7-5b9f-4dac-9b4d-732bb293815c"/> <cybox:Observable idref="mandiant:observable-511936a6-ff5e-4463-ae3c-7c304387ec73"/> <cybox:Observable idref="mandiant:observable-5dd6ca2f-564f-4d12-ae49-07c9b8c42705"/> <cybox:Observable idref="mandiant:observable-4b1620f4-94db-4cb7-98d1-7141c7568631"/> <cybox:Observable idref="mandiant:observable-9f36688c-aa19-4d6d-ac0e-58dbf963cdff"/> <cybox:Observable idref="mandiant:observable-be21f52c-fe43-4511-9ab6-fc00e6b23282"/> <cybox:Observable idref="mandiant:observable-4494ac88-9ec5-4190-b3c6-d083b6ce7c2d"/> <cybox:Observable idref="mandiant:observable-e07a2b0f-b23a-44d3-9047-5579172d4936"/> <cybox:Observable idref="mandiant:observable-b60946dd-61b1-4e52-b3a2-577f717334cb"/> <cybox:Observable idref="mandiant:observable-3c518aee-4064-4202-8a4b-de3e8a10a40c"/> <cybox:Observable idref="mandiant:observable-d5216c57-dd11-4343-a269-97abf7e8c45d"/> <cybox:Observable idref="mandiant:observable-ae8fd0ff-f4e9-4d36-ad1c-5d7ab6b5e4c6"/> <cybox:Observable idref="mandiant:observable-a076efc9-286e-45ad-b1cf-10c1544614e5"/> <cybox:Observable idref="mandiant:observable-11395907-8fc0-48ff-ab5c-0fa2bf0e8d2b"/> <cybox:Observable idref="mandiant:observable-4226b629-8bff-4b2a-87a7-e5fac402c3cf"/> <cybox:Observable idref="mandiant:observable-8bbb0362-5760-4b81-9ec6-8732388d2e35"/> <cybox:Observable idref="mandiant:observable-b339ef46-6452-422a-9421-14c96a48bfd6"/> <cybox:Observable idref="mandiant:observable-1e74cabc-58df-4e91-8256-0a8cef0b8144"/> <cybox:Observable idref="mandiant:observable-d9efea8e-5f1a-4893-81a1-3022410a2359"/> <cybox:Observable idref="mandiant:observable-6c044212-b4c3-42b1-98f0-a23db4579307"/> <cybox:Observable idref="mandiant:observable-0a45a393-c5bb-4abe-9fe5-55884ed3301e"/> <cybox:Observable idref="mandiant:observable-eccbdeca-17e3-49e2-86e6-d9a958b282b0"/> <cybox:Observable idref="mandiant:observable-876efde6-d854-4985-b4bc-38eeaf6ef402"/> <cybox:Observable idref="mandiant:observable-168e96c7-27ee-4dd9-83ef-42068e64e550"/> <cybox:Observable idref="mandiant:observable-2146b9ab-a964-4949-b0cf-0ee322674c97"/> <cybox:Observable idref="mandiant:observable-78a4421d-77f0-4baa-8b0f-4e502e1e6341"/> <cybox:Observable idref="mandiant:observable-b0d3d267-a266-4f4a-bf73-bd4bf33895c1"/> <cybox:Observable idref="mandiant:observable-13e6bd1c-3cb0-4045-8183-1bcba1a00bf0"/> <cybox:Observable idref="mandiant:observable-3048ce00-8772-4297-b560-661bd502930a"/> <cybox:Observable idref="mandiant:observable-950b8512-8dae-4155-a5ce-f5a5a87d85fe"/> <cybox:Observable idref="mandiant:observable-742e90a6-04f6-4c3b-a5d3-99f524401478"/> <cybox:Observable idref="mandiant:observable-ca3fb6b4-0230-4d9b-bc05-3030c8e35c70"/> <cybox:Observable idref="mandiant:observable-55e8ea00-8198-48b9-8706-858df3791137"/> <cybox:Observable idref="mandiant:observable-65937d7e-c289-4f93-9738-b1b70b9db291"/> <cybox:Observable idref="mandiant:observable-296b347b-44c5-4379-ab6e-47586c09008b"/> <cybox:Observable idref="mandiant:observable-7708d1e5-a710-45ba-ab53-2b47bd1ebec2"/> <cybox:Observable idref="mandiant:observable-38bbe2e6-52e5-4546-a24b-7d8a8a7be008"/> <cybox:Observable idref="mandiant:observable-03cc9226-6a52-4bdc-b8dd-5b59290e24e0"/> <cybox:Observable idref="mandiant:observable-79043b13-593d-44bb-a968-2cc4796ea553"/> <cybox:Observable idref="mandiant:observable-f831fe68-6ad9-4c3b-a458-da96e99bf51d"/> <cybox:Observable idref="mandiant:observable-7a8dafce-2759-407f-b933-58f880373498"/> <cybox:Observable idref="mandiant:observable-3712e3ad-c73f-4ac6-a060-ae91e5f4b209"/> <cybox:Observable idref="mandiant:observable-6a0c1869-51f9-47bd-b5ab-6dccb1e5c4dc"/> <cybox:Observable idref="mandiant:observable-e2902c12-d2d9-4430-b52e-f50b3a3cda0f"/> <cybox:Observable idref="mandiant:observable-0dc669b3-4708-4b9a-8342-39908c8fda76"/> <cybox:Observable idref="mandiant:observable-6390e920-b130-40a9-9c47-65e95ce704d7"/> <cybox:Observable idref="mandiant:observable-9992608a-b5ec-4de9-bc6c-ca680d901747"/> <cybox:Observable idref="mandiant:observable-e5e238fa-ee3c-4b90-bab0-f4e51686deb8"/> <cybox:Observable idref="mandiant:observable-78f7038b-c6b3-43b0-9d4e-f008ffc3d39f"/> <cybox:Observable idref="mandiant:observable-e206f2f2-91fa-4226-b125-b1d62a4d6a4d"/> <cybox:Observable idref="mandiant:observable-2d4e4cea-ac61-4439-9103-2df82e51dd94"/> <cybox:Observable idref="mandiant:observable-bbbaa9f5-88b4-4769-9295-067830277580"/> <cybox:Observable idref="mandiant:observable-97fbb0b2-280f-4652-a875-3ab57069fd94"/> <cybox:Observable idref="mandiant:observable-fc91331f-c835-40e8-a9d0-c8805a056ec1"/> <cybox:Observable idref="mandiant:observable-af547634-8c89-45c3-b523-d1c69dee87bc"/> <cybox:Observable idref="mandiant:observable-8d12f279-1dfd-49cb-9bc6-20c391e261c1"/> <cybox:Observable idref="mandiant:observable-8a1917da-62fa-4907-bbe1-a346b341ecc0"/> <cybox:Observable idref="mandiant:observable-1da495ad-f5dd-4d85-af38-2e1eb9dcd87d"/> <cybox:Observable idref="mandiant:observable-aff25096-ef94-4f73-9d6c-b137d311b76d"/> <cybox:Observable idref="mandiant:observable-dc43aa34-8044-424e-9149-8afa4ff0c577"/> <cybox:Observable idref="mandiant:observable-e8fa3d4f-1ed1-4649-9fe2-4a06dd4bf0f4"/> <cybox:Observable idref="mandiant:observable-f23bf30c-ef3f-4534-ae43-5a1a27f9b299"/> <cybox:Observable idref="mandiant:observable-33566849-1f86-465f-9bd9-d3d72022c7f1"/> <cybox:Observable idref="mandiant:observable-4fb0d58e-5b9d-4915-8df8-6a6b5047c285"/> <cybox:Observable idref="mandiant:observable-99656710-b8a5-46e8-90eb-2bd5c875a1ca"/> <cybox:Observable idref="mandiant:observable-051542fe-3415-415a-a8b1-fa809229fb26"/> <cybox:Observable idref="mandiant:observable-95f6e322-44c7-4ef4-848a-0fbe23c5fc1b"/> <cybox:Observable idref="mandiant:observable-540da951-fcb2-43f1-89a3-495305c3fd10"/> <cybox:Observable idref="mandiant:observable-8a03ee9e-5043-4ce1-8729-0c12a92a908d"/> <cybox:Observable idref="mandiant:observable-f9e0e6f8-9b2b-4b81-833f-2ade30521be4"/> <cybox:Observable idref="mandiant:observable-4719129c-3284-4b72-a7e2-b67e1d76b3e9"/> <cybox:Observable idref="mandiant:observable-b88fe4c2-2780-4e86-abc9-1fd01d05f1d2"/> <cybox:Observable idref="mandiant:observable-24ee6705-c3d8-4304-9a06-4008a9a23449"/> <cybox:Observable idref="mandiant:observable-92f1ffb0-0478-433c-a45c-bdb3fca452a6"/> <cybox:Observable idref="mandiant:observable-e80dbbec-1827-4c76-b561-4a826a74ec76"/> <cybox:Observable idref="mandiant:observable-fbc4c735-31e5-4ea6-bd69-c8c8c49614b9"/> <cybox:Observable idref="mandiant:observable-590410e3-cbb5-4a58-aba7-2c8f849f7e07"/> <cybox:Observable idref="mandiant:observable-c5debc8f-5481-4f4a-a8f1-f9e791be932e"/> <cybox:Observable idref="mandiant:observable-ee66514f-48be-4d66-88d3-058cb83c21c7"/> <cybox:Observable idref="mandiant:observable-2353a63c-c816-4a3f-aabd-3e7c451964f8"/> <cybox:Observable idref="mandiant:observable-9ba05a25-54a9-4288-8d9b-19d1633e382e"/> <cybox:Observable idref="mandiant:observable-0c862527-c7a6-4721-846b-674360e02d05"/> <cybox:Observable idref="mandiant:observable-60c2eb4a-09b9-4cdc-a25d-cdcb6b2d048a"/> <cybox:Observable idref="mandiant:observable-95395c68-d46e-46cf-8c34-cab57248c436"/> <cybox:Observable idref="mandiant:observable-d88551f7-346a-40f6-aff2-9d37b191b2a4"/> <cybox:Observable idref="mandiant:observable-8c17b911-940f-48e5-a9d3-a1a37b874a73"/> <cybox:Observable idref="mandiant:observable-b5e3109b-d003-4e43-ae1b-dd211ce39546"/> <cybox:Observable idref="mandiant:observable-dddc6df3-bd6a-4f9c-b64c-e41eb6a2a160"/> <cybox:Observable idref="mandiant:observable-5515aa67-956d-453e-a5f7-21cbc3b6bc01"/> <cybox:Observable idref="mandiant:observable-fefb9769-9a14-4e4b-bb43-b11ac1ea5d20"/> <cybox:Observable idref="mandiant:observable-e4ba4a24-5fa0-43b1-a710-55c1060ffbe4"/> <cybox:Observable idref="mandiant:observable-5ad007ee-80eb-4111-bf39-4beb81513c04"/> <cybox:Observable idref="mandiant:observable-9af5d073-4bcc-4b57-8add-450b271b8d7c"/> <cybox:Observable idref="mandiant:observable-bdd720ac-a60c-48e5-a701-11bce6df9481"/> <cybox:Observable idref="mandiant:observable-7f63da93-6a36-4931-bbc1-305ee9445d3a"/> <cybox:Observable idref="mandiant:observable-ad091b9c-f29a-4f0f-a50a-a0d11290feb7"/> <cybox:Observable idref="mandiant:observable-5fffb910-e9d0-4919-8fc0-7afb3eabe2e6"/> <cybox:Observable idref="mandiant:observable-55fe4b5d-70ed-448e-ba29-26e285605e6f"/> <cybox:Observable idref="mandiant:observable-0484c86e-0cc7-4f45-93b2-ccaa72d35abd"/> <cybox:Observable idref="mandiant:observable-2f0e18e2-3d62-4d5f-8523-0f5deee4e6a2"/> <cybox:Observable idref="mandiant:observable-4c974f84-2a25-4971-8926-c08927cd92f6"/> <cybox:Observable idref="mandiant:observable-f3a6eafd-ea13-4671-89f7-54441ffa55c2"/> <cybox:Observable idref="mandiant:observable-a83301c8-e493-4376-aa6d-d0900fe3de18"/> <cybox:Observable idref="mandiant:observable-efbc08ef-d619-402b-8958-31d69ca7ab41"/> <cybox:Observable idref="mandiant:observable-132a00f2-2ea7-4840-a64a-61dd8e5f6a41"/> <cybox:Observable idref="mandiant:observable-5117db30-f6e1-48a7-85c3-5fc54bd09520"/> <cybox:Observable idref="mandiant:observable-0a82d11c-ef7e-45e1-b1d9-afb1908c132b"/> <cybox:Observable idref="mandiant:observable-2d23d214-8c30-4615-a7f8-502377704091"/> <cybox:Observable idref="mandiant:observable-9450b911-ff5b-4ca2-9291-f77794b911ac"/> <cybox:Observable idref="mandiant:observable-e16a4b65-7734-4a99-ab70-5bd5d2ed2973"/> <cybox:Observable idref="mandiant:observable-c126266f-2951-4a8f-89b9-8e20f568b08f"/> <cybox:Observable idref="mandiant:observable-48a465c4-15ee-43c6-b54d-efc49ab756a5"/> <cybox:Observable idref="mandiant:observable-78db76ec-e88d-4910-9cc8-bce5a97300d6"/> <cybox:Observable idref="mandiant:observable-a9781e3b-ae53-4128-a71b-cee9245ff0b6"/> <cybox:Observable idref="mandiant:observable-dee91341-74a3-4abc-86d9-fef25e10d246"/> <cybox:Observable idref="mandiant:observable-12d4130f-cc2e-4381-bd02-b3d44f4833b4"/> <cybox:Observable idref="mandiant:observable-c2be8c2c-0d24-4456-aefd-b23eb2b6f0b9"/> <cybox:Observable idref="mandiant:observable-d5140a1b-8e85-4dfb-b63a-1acc5eef20b1"/> <cybox:Observable idref="mandiant:observable-b0b379f8-7193-4a0a-af42-efea99dc4af9"/> <cybox:Observable idref="mandiant:observable-c67a21b6-8a52-48f7-bea9-713f9e90b2ac"/> <cybox:Observable idref="mandiant:observable-b6d6fb31-f0d1-4c76-9dc7-fd18d7c99a61"/> <cybox:Observable idref="mandiant:observable-d0aa3f97-a750-44c2-9997-ac2dc9b877a9"/> <cybox:Observable idref="mandiant:observable-57fb3999-92a2-4c02-b5ec-0e05e151b0c7"/> <cybox:Observable idref="mandiant:observable-4685be44-fde1-4cfa-a08a-c5dc536f461b"/> <cybox:Observable idref="mandiant:observable-74f6d69a-7497-4553-aa6b-d43b5821a7d4"/> <cybox:Observable idref="mandiant:observable-27a80dc4-6220-4b79-adae-6100cdbcad22"/> <cybox:Observable idref="mandiant:observable-5eef2e99-9a20-4513-ada7-74e06d9c3fc2"/> <cybox:Observable idref="mandiant:observable-bd596294-f70f-4401-bea6-5069ba7bd850"/> <cybox:Observable idref="mandiant:observable-b451f468-0c0f-475f-9493-9b67ddf9050e"/> <cybox:Observable idref="mandiant:observable-2c81eec5-d9df-4726-ac36-1629970bf2fc"/> <cybox:Observable idref="mandiant:observable-da67532b-372e-4f1f-8631-f4e0ae1185f5"/> <cybox:Observable idref="mandiant:observable-a784718d-0dff-462c-8b26-ca1114361fe9"/> <cybox:Observable idref="mandiant:observable-079200ea-25ad-4d16-ab0b-9dd72b49b919"/> <cybox:Observable idref="mandiant:observable-56afacfd-0e57-4061-8677-24f1bcb36ab0"/> <cybox:Observable idref="mandiant:observable-5c1fc3c1-fd6a-4848-9d7e-5bbbdd8c21b1"/> <cybox:Observable idref="mandiant:observable-8371563b-64e3-4461-a0f3-63e429f5ad70"/> <cybox:Observable idref="mandiant:observable-e93266a8-02fb-422c-981f-6af800981077"/> <cybox:Observable idref="mandiant:observable-ce68864a-3815-4fd6-8e29-d1a5d3b91269"/> <cybox:Observable idref="mandiant:observable-2fa0874d-9c46-43d3-8fd9-6a042da17ade"/> <cybox:Observable idref="mandiant:observable-d24ee18d-f0b6-4d83-bc53-05cfe0d9cd3d"/> <cybox:Observable idref="mandiant:observable-4e197d86-fb67-4df7-a36e-ff5028eebac3"/> <cybox:Observable idref="mandiant:observable-8a7f6dbb-a84c-41bc-b608-346aaa7bb3b2"/> <cybox:Observable idref="mandiant:observable-8930ade3-1c85-4847-be0d-8427004d612d"/> <cybox:Observable idref="mandiant:observable-8fbdbbd0-d7da-4a19-9218-0e058cf8b18f"/> <cybox:Observable idref="mandiant:observable-d1d1b452-8db5-45d9-9a63-cce3a33426fd"/> <cybox:Observable idref="mandiant:observable-f883131c-f756-466d-b16f-cad183b228ad"/> <cybox:Observable idref="mandiant:observable-d4c672d3-88eb-4f22-8553-f8cbb376ced2"/> <cybox:Observable idref="mandiant:observable-204e7327-0e0c-4cba-a595-f61a7d60e840"/> <cybox:Observable idref="mandiant:observable-0558aa4b-6126-4621-bb95-f276c7107745"/> <cybox:Observable idref="mandiant:observable-cf3e8804-fcd6-4f2b-a4c1-52d2fea7eff2"/> <cybox:Observable idref="mandiant:observable-5efec108-ba4f-4519-a779-0ea573127fb8"/> <cybox:Observable idref="mandiant:observable-888f495c-08ef-46e7-aa45-05b324071b56"/> <cybox:Observable idref="mandiant:observable-76e93ed6-826c-42f8-916a-23de349fb622"/> <cybox:Observable idref="mandiant:observable-10d7f76a-5b8c-4fc1-b373-26278d7f530b"/> <cybox:Observable idref="mandiant:observable-f6a9ab21-43a3-4eb2-995c-42814a0e6003"/> <cybox:Observable idref="mandiant:observable-b6429584-2467-4f20-9b84-edb96212aab9"/> <cybox:Observable idref="mandiant:observable-0665b3ac-863a-4886-8b27-aa04223b038b"/> <cybox:Observable idref="mandiant:observable-c8955f74-70e3-4bb8-9793-22f31ccf307c"/> <cybox:Observable idref="mandiant:observable-95bdaae1-b151-42b1-99b0-4887617d8288"/> <cybox:Observable idref="mandiant:observable-97651762-c8f4-42fd-9f38-151372a06610"/> <cybox:Observable idref="mandiant:observable-d5c24431-7fb7-47d6-9720-67c7dbcab2ba"/> <cybox:Observable idref="mandiant:observable-a119b647-4dd7-4c67-b7e7-4640d164d082"/> <cybox:Observable idref="mandiant:observable-c9032003-14c2-4437-a0e8-ab5a54f975f3"/> <cybox:Observable idref="mandiant:observable-377925c6-0383-4da3-9eed-4ec34576425c"/> <cybox:Observable idref="mandiant:observable-90982168-dcce-4180-905d-9d3f5c462e45"/> <cybox:Observable idref="mandiant:observable-87b997f2-0f33-4aeb-8910-c9ba92ec1650"/> <cybox:Observable idref="mandiant:observable-60ee0427-74cc-494a-9895-45a320e42d0e"/> <cybox:Observable idref="mandiant:observable-3656d515-5956-47e2-9221-93156eeb878e"/> <cybox:Observable idref="mandiant:observable-a3c9a57e-c858-4e0a-bd20-10e775f20c41"/> <cybox:Observable idref="mandiant:observable-fabb66bc-d82f-474c-bba6-6e0425b13b73"/> <cybox:Observable idref="mandiant:observable-cd1c45bc-dff7-4ddc-8642-e2b4b946edc6"/> <cybox:Observable idref="mandiant:observable-2da2476b-9152-4b4c-bcca-05b5cee9078f"/> <cybox:Observable idref="mandiant:observable-2a36beb6-03bf-4035-8028-f938f04f9a94"/> <cybox:Observable idref="mandiant:observable-d0a234db-b50f-448d-88cd-e06940043796"/> <cybox:Observable idref="mandiant:observable-034ff744-892d-441e-84b5-fe922abed392"/> <cybox:Observable idref="mandiant:observable-a8c463e9-1d78-4d6e-b8c5-5bfb922860ae"/> <cybox:Observable idref="mandiant:observable-44046fc8-7c02-42c6-b26c-b1623eb7b16c"/> <cybox:Observable idref="mandiant:observable-53877678-f17e-4da1-9336-698063493cc6"/> <cybox:Observable idref="mandiant:observable-b50152f3-886e-4132-81f2-bceb91b96629"/> <cybox:Observable idref="mandiant:observable-08f7fb65-8884-4b6e-abdc-c09c064d7a3a"/> <cybox:Observable idref="mandiant:observable-8d12babf-fa50-4637-af25-e313cfbaee21"/> <cybox:Observable idref="mandiant:observable-b7ca6cf3-b21e-4ce5-b66a-5cd57ea4907d"/> <cybox:Observable idref="mandiant:observable-6d0cc478-3e68-440a-a6bf-e9b00e9acf85"/> <cybox:Observable idref="mandiant:observable-e9d45424-4a97-4ca6-a6da-6abdf9d25764"/> <cybox:Observable idref="mandiant:observable-3a44244a-ead8-48f4-8e4a-b5fcadee81bf"/> <cybox:Observable idref="mandiant:observable-28104725-75b2-4abf-8269-4f854514a608"/> <cybox:Observable idref="mandiant:observable-e0da4965-b6c6-4afe-a6f6-eede4fc3177d"/> <cybox:Observable idref="mandiant:observable-294bb491-f96f-4bab-a8b5-c26f65d2acb7"/> <cybox:Observable idref="mandiant:observable-f836ade2-a72e-4b30-8c56-cb95d341c828"/> <cybox:Observable idref="mandiant:observable-92c6e3af-79e1-42dc-a02e-4505e1d6e459"/> <cybox:Observable idref="mandiant:observable-6c09d8f4-fae6-41e6-892e-e0bc785d5cc6"/> <cybox:Observable idref="mandiant:observable-037dfc3e-7d9d-4630-90a5-dee0c18f407f"/> <cybox:Observable idref="mandiant:observable-34bde6bc-b8b0-496a-801e-40ed15bee252"/> <cybox:Observable idref="mandiant:observable-c16e08f5-98b9-42de-8001-d386041c368e"/> <cybox:Observable idref="mandiant:observable-18f232ee-cd67-47e1-9a2e-fdd3298233c3"/> <cybox:Observable idref="mandiant:observable-71df27ee-4eda-4afc-8409-ec4c58da3473"/> <cybox:Observable idref="mandiant:observable-ad64b6cf-4af2-4f3d-a2e0-2fe3e6b30cdc"/> <cybox:Observable idref="mandiant:observable-fc106d4b-f060-46f5-80c8-ce8033193fdd"/> <cybox:Observable idref="mandiant:observable-cde6ab63-addc-4103-a889-b56c4524b701"/> <cybox:Observable idref="mandiant:observable-4016c737-ebe6-4aa0-a739-7c46f0af893e"/> <cybox:Observable idref="mandiant:observable-5c550ff6-3986-48cf-a2d5-fcfd41f20b0a"/> <cybox:Observable idref="mandiant:observable-f454c870-cb2e-4a9e-b31d-0f9d068aca31"/> <cybox:Observable idref="mandiant:observable-7f4075e2-7dac-4b0e-a276-7eb14c70d765"/> <cybox:Observable idref="mandiant:observable-bd302583-bcf1-4e69-9e8e-f0c973a53cea"/> <cybox:Observable idref="mandiant:observable-02e5a04d-e5ef-48a8-b455-c6c1c325925c"/> <cybox:Observable idref="mandiant:observable-6f87cd10-39d3-413b-b3ca-52ba7a124f49"/> <cybox:Observable idref="mandiant:observable-28924f62-5441-4632-97d2-5d35a4213976"/> <cybox:Observable idref="mandiant:observable-c14a804e-cf50-41bf-88c4-550a25a2103b"/> <cybox:Observable idref="mandiant:observable-99013664-03ee-41a3-a38a-ef120f81cb58"/> <cybox:Observable idref="mandiant:observable-44055711-fe03-48b4-b8d2-50be225edad8"/> <cybox:Observable idref="mandiant:observable-54a85d32-a165-449f-8b6b-f8203a69b954"/> <cybox:Observable idref="mandiant:observable-77d26675-49f2-4cde-8991-460e2da658eb"/> <cybox:Observable idref="mandiant:observable-36b204ba-de10-486c-98b6-288c0c2ac6d8"/> <cybox:Observable idref="mandiant:observable-90242cd9-546d-4966-bdaa-d4467018c25a"/> <cybox:Observable idref="mandiant:observable-7d8fceb3-7717-41bb-bdc1-61a29d0028ba"/> <cybox:Observable idref="mandiant:observable-50de64c1-250c-45f0-a66d-a03be1e88a1f"/> <cybox:Observable idref="mandiant:observable-8d335f68-cdf6-4aac-aaa4-7aab25cc0fea"/> <cybox:Observable idref="mandiant:observable-29ce9cb1-3829-47f0-b933-6fea33cb61b0"/> <cybox:Observable idref="mandiant:observable-5af465c1-ee05-441c-8b4f-687a13c442d9"/> <cybox:Observable idref="mandiant:observable-2fc67e5b-4b1d-4135-919d-3c15aac0b494"/> <cybox:Observable idref="mandiant:observable-1e5a489d-61ff-4079-aaf2-7dc8fa96d977"/> <cybox:Observable idref="mandiant:observable-f511fe11-750f-40cf-bb04-348e3a465d49"/> <cybox:Observable idref="mandiant:observable-4c0947d0-3f60-4c95-a587-580bce510b1b"/> <cybox:Observable idref="mandiant:observable-b81acf6e-417c-44f2-ab24-da18c03965ae"/> <cybox:Observable idref="mandiant:observable-bc69843a-17ac-42de-82bb-1a15123dc1a2"/> <cybox:Observable idref="mandiant:observable-fc2df9d6-0533-4850-8421-310d6c90813f"/> <cybox:Observable idref="mandiant:observable-97c2473e-edac-49f7-b5f2-4b98bb62e1a9"/> <cybox:Observable idref="mandiant:observable-f3f6a93d-912f-450a-a3d2-1e92a03b64b5"/> <cybox:Observable idref="mandiant:observable-8aad2a97-39dc-4f48-841f-3cd77cb86cc8"/> <cybox:Observable idref="mandiant:observable-3f9eb2e3-e31c-451f-9dc0-555d76dbf4b4"/> <cybox:Observable idref="mandiant:observable-ea4ed5d7-ae07-43eb-b5b3-205cde14f99f"/> <cybox:Observable idref="mandiant:observable-8ecebf97-b3fa-4aa7-aeb9-c811031aaf9c"/> <cybox:Observable idref="mandiant:observable-c0f94cf2-ac62-4ad2-9c92-7d3423524757"/> <cybox:Observable idref="mandiant:observable-e4bef386-82c5-42f1-841f-2416583b10c8"/> <cybox:Observable idref="mandiant:observable-6165ef6f-3e35-4930-9b09-da0bb501cc96"/> <cybox:Observable idref="mandiant:observable-c1b8d482-5742-41ad-96a5-6cc84d9e2c37"/> <cybox:Observable idref="mandiant:observable-ddb29c02-9846-49a6-9593-a47847be732d"/> <cybox:Observable idref="mandiant:observable-12ea288b-3707-4d7c-8eb6-050b0af38b6e"/> <cybox:Observable idref="mandiant:observable-0f2ab503-9e54-4ac2-ac20-fc1118088afd"/> <cybox:Observable idref="mandiant:observable-49d7c7ee-c519-4d9a-92e4-d6e7a129229b"/> <cybox:Observable idref="mandiant:observable-90ecc391-05ed-4eb4-8ad4-5a6303060a6f"/> <cybox:Observable idref="mandiant:observable-711ea5c1-93fd-44d6-bdfb-0de824ff4a09"/> <cybox:Observable idref="mandiant:observable-638f1639-79f0-40a6-acff-f8abbfb615e2"/> <cybox:Observable idref="mandiant:observable-21f15ae5-0e27-4634-9dd4-fdcab5b00301"/> <cybox:Observable idref="mandiant:observable-3c443832-797d-44c2-a62f-d56b41c3431f"/> <cybox:Observable idref="mandiant:observable-30100aff-c0e3-4818-b46e-6787327f8a1a"/> <cybox:Observable idref="mandiant:observable-bcb220a3-50f9-43ec-a55c-a52f90e1c779"/> <cybox:Observable idref="mandiant:observable-500257fb-af21-4981-985f-ebccdfb6641a"/> <cybox:Observable idref="mandiant:observable-87e53cc0-7898-45ab-a5e5-bd42567053dc"/> <cybox:Observable idref="mandiant:observable-d7e24af2-a583-408f-ad48-0c14e6e4f360"/> <cybox:Observable idref="mandiant:observable-1b530efc-85d9-49cf-8d72-17860dcb49fe"/> <cybox:Observable idref="mandiant:observable-2731fa87-36a1-432c-a408-6484a5e593f8"/> <cybox:Observable idref="mandiant:observable-ba4f0587-bf1e-4830-99e8-9efe07904d07"/> <cybox:Observable idref="mandiant:observable-a6c97c28-a44f-4b46-9537-7c433c670244"/> <cybox:Observable idref="mandiant:observable-a3bf514e-f634-4531-b9e0-6de1b3d0c4d8"/> <cybox:Observable idref="mandiant:observable-1a433fc4-39d6-4f4f-8dac-6d83f3f9f685"/> <cybox:Observable idref="mandiant:observable-6318dd4f-b1d4-4022-9ea0-93d3b561744a"/> <cybox:Observable idref="mandiant:observable-98a89637-0403-4967-babf-e31546ba39fa"/> <cybox:Observable idref="mandiant:observable-129fff37-b218-48df-820b-aebb325f2611"/> <cybox:Observable idref="mandiant:observable-0a073e04-6778-40f3-bfae-ed3eb8b46ed1"/> <cybox:Observable idref="mandiant:observable-4d677650-5373-4fa2-8d77-bd5fca86dc38"/> <cybox:Observable idref="mandiant:observable-24f4b96e-46bf-43ae-9cb5-c25ac6fc36f9"/> <cybox:Observable idref="mandiant:observable-ada070dc-7615-47ab-bac5-a8becc87b4fc"/> <cybox:Observable idref="mandiant:observable-2ee86912-e2e9-4a0a-bb54-0b19fa74418c"/> <cybox:Observable idref="mandiant:observable-c9eed4ec-2ebe-4bd5-9150-76f7d6cf0e8f"/> <cybox:Observable idref="mandiant:observable-e8919344-fd16-4c39-9811-563e77359924"/> <cybox:Observable idref="mandiant:observable-6c97d939-b699-46c9-af68-cd3a9d26eb24"/> <cybox:Observable idref="mandiant:observable-6dc1a5c1-cda9-47fc-9fe7-11e3433f3682"/> <cybox:Observable idref="mandiant:observable-7bc24894-a4ea-430f-aac5-12f4b4afa84a"/> <cybox:Observable idref="mandiant:observable-d191f9cc-8cfb-4761-aeca-3fed66493e27"/> <cybox:Observable idref="mandiant:observable-449b69ae-9af5-4614-8071-74751ee11b1d"/> <cybox:Observable idref="mandiant:observable-ae5377a9-14c1-413f-8fa2-006ac9a060b0"/> <cybox:Observable idref="mandiant:observable-3ddc54ff-0a4d-4a6d-8bb9-cc0aaf1b8200"/> <cybox:Observable idref="mandiant:observable-a0a53167-d29a-448a-9316-61c056c2b7c9"/> <cybox:Observable idref="mandiant:observable-9059fdf6-0e03-413b-b0a4-3bb1c38194f7"/> <cybox:Observable idref="mandiant:observable-2ab4f3c0-70fe-406d-9eff-bc9a2274042f"/> <cybox:Observable idref="mandiant:observable-09e43b8e-cfb8-43ad-9f3e-1619a113ee70"/> <cybox:Observable idref="mandiant:observable-278e7759-8fde-48b2-9865-5109fc72547b"/> <cybox:Observable idref="mandiant:observable-334a9473-ca52-4a7b-935c-db28407edef9"/> <cybox:Observable idref="mandiant:observable-c2fbc8d4-abb7-426e-8439-f36516abb11b"/> <cybox:Observable idref="mandiant:observable-e4c0642f-5384-49e7-b726-9b7b93b1d046"/> <cybox:Observable idref="mandiant:observable-d0732571-13ea-47b3-8c72-8b7bfaa7e866"/> <cybox:Observable idref="mandiant:observable-289288d5-7bc7-4d43-9975-716aeca1f42a"/> <cybox:Observable idref="mandiant:observable-0b1d861b-8da5-4ba9-83de-5452b69d7ff3"/> <cybox:Observable idref="mandiant:observable-9c488d78-e35e-44a0-9616-ba8d732b16b5"/> <cybox:Observable idref="mandiant:observable-cb4724b2-7a5a-4431-a98d-7d263c9d44b9"/> <cybox:Observable idref="mandiant:observable-9d5cf402-5631-4390-87ea-971eaab1df1d"/> <cybox:Observable idref="mandiant:observable-1b508cb0-76e5-4abf-8f9d-5fa8b1d43f0e"/> <cybox:Observable idref="mandiant:observable-320e1c11-38df-41f2-9300-26f3841072a0"/> <cybox:Observable idref="mandiant:observable-833c4845-a222-4fd0-8f27-021994a147d0"/> <cybox:Observable idref="mandiant:observable-09576f11-2a61-4ba4-b028-50915af3ff1f"/> <cybox:Observable idref="mandiant:observable-115348b8-1dd2-47c8-b7c5-e527d1f16290"/> <cybox:Observable idref="mandiant:observable-dabc9e54-b4df-4a27-8d9a-08d88d81ecba"/> <cybox:Observable idref="mandiant:observable-f9485db8-ca16-4b54-a70f-81e48aa8e01e"/> <cybox:Observable idref="mandiant:observable-fbbfe38f-d0e2-485d-b646-50a95ad67e42"/> <cybox:Observable idref="mandiant:observable-b9dc8abb-9158-4977-b086-0f1168f36326"/> <cybox:Observable idref="mandiant:observable-919418e6-81e1-4fe4-b3d4-8387d2994158"/> <cybox:Observable idref="mandiant:observable-bfd57cda-e423-4f87-82d2-dcad4c60a4e1"/> <cybox:Observable idref="mandiant:observable-2f1fa842-f779-4fa9-b56b-26ba8607dbdb"/> <cybox:Observable idref="mandiant:observable-be2960e4-3574-43dd-95ba-3cb4513152ea"/> <cybox:Observable idref="mandiant:observable-6401f7da-2c4d-4b72-828d-b69a295581f1"/> <cybox:Observable idref="mandiant:observable-392ba790-2c1e-4acd-86db-7e1246788195"/> <cybox:Observable idref="mandiant:observable-f8bc290b-0168-4d53-afe5-02bcfc8a3f82"/> <cybox:Observable idref="mandiant:observable-ae2d031d-f8f4-4be1-95eb-dde6c523716a"/> <cybox:Observable idref="mandiant:observable-e1ca34f2-6f66-4a8e-ae99-b231aea90ac7"/> <cybox:Observable idref="mandiant:observable-416c4674-b9f7-40a1-96b2-dc688e28eca4"/> <cybox:Observable idref="mandiant:observable-615cf836-6147-40de-b0b9-10dab8393ed9"/> <cybox:Observable idref="mandiant:observable-64868346-be1b-4343-ab0a-60a6579ae58e"/> <cybox:Observable idref="mandiant:observable-466e6f8e-dcc9-43e8-b1fa-1eb6b509923c"/> <cybox:Observable idref="mandiant:observable-32100cf1-610b-461f-b9c4-ff24bdc9f023"/> <cybox:Observable idref="mandiant:observable-6ce23dff-9674-463b-a3ca-24627166ec3d"/> <cybox:Observable idref="mandiant:observable-eb9c7619-beb5-4323-8380-dc71c80788ca"/> <cybox:Observable idref="mandiant:observable-e9c54005-c94a-4863-b6ff-8195d62237d8"/> <cybox:Observable idref="mandiant:observable-0d4e7c5d-31b5-4741-98aa-f5b43ae77c2c"/> <cybox:Observable idref="mandiant:observable-a53c2636-8a86-4edb-9038-ded5af8c9da2"/> <cybox:Observable idref="mandiant:observable-c25d74ab-cd2c-4dc2-b66e-320bfb658c5e"/> <cybox:Observable idref="mandiant:observable-be83cacb-1875-461f-8c9d-5c54b35a8e95"/> <cybox:Observable idref="mandiant:observable-ae13d20a-fa0f-42cb-92cf-4a6145d6b8d1"/> <cybox:Observable idref="mandiant:observable-d249a870-df60-4c2d-8c88-5eca53ad3afa"/> <cybox:Observable idref="mandiant:observable-611abf4e-9345-4f81-a17e-9b37fa80df41"/> <cybox:Observable idref="mandiant:observable-1fdbe819-1261-40f5-af34-f3891ee08f74"/> <cybox:Observable idref="mandiant:observable-a1a9931d-9305-4154-9863-174cdedb89d4"/> <cybox:Observable idref="mandiant:observable-8cc88d4a-c3a4-493c-9ccb-a287f1ffd336"/> <cybox:Observable idref="mandiant:observable-b3352aec-e4f9-4c70-9eab-2881bd91bbd2"/> <cybox:Observable idref="mandiant:observable-efa96288-2925-4365-b9c4-9288c4b914e3"/> <cybox:Observable idref="mandiant:observable-d9cc65c8-8dd2-4713-b6b7-ce3f805ee413"/> <cybox:Observable idref="mandiant:observable-d18237fc-66cf-4c1e-8e1b-070c973838fb"/> <cybox:Observable idref="mandiant:observable-5c9de010-6064-4f37-a6b8-772c322c987b"/> <cybox:Observable idref="mandiant:observable-6309924e-05d3-4b7a-aed7-07f7bcda7d46"/> <cybox:Observable idref="mandiant:observable-0054b13f-d945-436e-9215-edc85b8c68bf"/> <cybox:Observable idref="mandiant:observable-60ed73ff-67b8-41f0-af6d-9ed5d2c7a3dc"/> <cybox:Observable idref="mandiant:observable-0d62048d-f30a-468e-a1b7-ccbbd5b9deda"/> <cybox:Observable idref="mandiant:observable-a902acc1-c1df-4135-bd12-fdfa4e287208"/> <cybox:Observable idref="mandiant:observable-3c4f6ff1-6624-4b39-bb17-112982236598"/> <cybox:Observable idref="mandiant:observable-028ce6fc-3fa5-4a27-bbca-07cdde3898de"/> <cybox:Observable idref="mandiant:observable-52f12703-05dd-4d91-ad8b-687cf5e86d19"/> <cybox:Observable idref="mandiant:observable-6b4ed60a-1213-4984-8127-e23d060e56e0"/> <cybox:Observable idref="mandiant:observable-3122a156-227e-4058-9159-0e809b4ecc68"/> <cybox:Observable idref="mandiant:observable-a70f64a7-ab3e-44f8-b3e6-d0517139f18c"/> <cybox:Observable idref="mandiant:observable-f3ab20d6-720c-4851-975c-608cf88ba861"/> <cybox:Observable idref="mandiant:observable-a3141d62-465c-47ab-a779-4b5d86ad363d"/> <cybox:Observable idref="mandiant:observable-a104a0e0-ac7c-45a5-aab2-8047ef9e2a12"/> <cybox:Observable idref="mandiant:observable-19f59c70-6176-45d9-ad53-767b0280ef66"/> <cybox:Observable idref="mandiant:observable-dc124fa9-95c5-4b57-b8e7-9f760a866821"/> <cybox:Observable idref="mandiant:observable-828286b6-7a00-4f91-8dc3-12ec0ef75c46"/> <cybox:Observable idref="mandiant:observable-3f47f982-2feb-4bff-8084-a27ae9be2332"/> <cybox:Observable idref="mandiant:observable-78d7f05a-c0f8-4c82-a254-fc9204d4d852"/> <cybox:Observable idref="mandiant:observable-92736fad-0584-4d5a-83aa-5a44a832802f"/> <cybox:Observable idref="mandiant:observable-148e4d5e-e213-44c4-9c5c-69bbe81cac77"/> <cybox:Observable idref="mandiant:observable-b13d3ec0-de0d-45ff-8e86-dcee2de09053"/> <cybox:Observable idref="mandiant:observable-62ad77d0-740d-4194-8b7d-6e111bbb3b99"/> <cybox:Observable idref="mandiant:observable-fe8a59d7-daf4-406b-9bef-6735886f3e76"/> <cybox:Observable idref="mandiant:observable-7e9843f5-7b07-4f36-98d5-0db35273c3ed"/> <cybox:Observable idref="mandiant:observable-25984cb3-718e-4e36-86a6-d5717e292c42"/> <cybox:Observable idref="mandiant:observable-af6ba778-2a08-479c-b160-64165af07044"/> <cybox:Observable idref="mandiant:observable-5ec8c197-fbf9-43aa-9cd8-b911e5114b8a"/> <cybox:Observable idref="mandiant:observable-71b2195c-d115-47e9-aea7-bc8b0593f923"/> <cybox:Observable idref="mandiant:observable-d2eaaca8-8910-43f6-af9e-a8996cf1d7f0"/> <cybox:Observable idref="mandiant:observable-4274254b-82bf-42c4-933b-6b6344d69097"/> <cybox:Observable idref="mandiant:observable-d282426a-3dd3-4564-8f57-c712a26c7555"/> <cybox:Observable idref="mandiant:observable-d5e42909-d002-431a-82bf-bf614b3af020"/> <cybox:Observable idref="mandiant:observable-1dc7c88c-5d5a-4ed9-a850-18b599a77e3c"/> <cybox:Observable idref="mandiant:observable-ca4bdbe4-eb7f-427f-865f-25da34fdd4d3"/> <cybox:Observable idref="mandiant:observable-a48a6229-e93d-4926-b6c1-7d01e3c8214c"/> <cybox:Observable idref="mandiant:observable-bf34594f-fa9c-4df5-82fb-bb526c7cde69"/> <cybox:Observable idref="mandiant:observable-9b3fd816-796b-44c5-b31b-ac3f6ff5c2d6"/> <cybox:Observable idref="mandiant:observable-70e66e0b-ca90-49ea-9675-71790d1e6b4f"/> <cybox:Observable idref="mandiant:observable-c0afcdb6-b030-4112-92c6-fffb0f38b4fb"/> <cybox:Observable idref="mandiant:observable-085f588b-d255-4d7b-9b26-3eeebed7f9f2"/> <cybox:Observable idref="mandiant:observable-bb1f2c6b-9599-4c0d-a877-201c4988b720"/> <cybox:Observable idref="mandiant:observable-cad19ddc-10cd-40a2-ac1a-0e6a06752a01"/> <cybox:Observable idref="mandiant:observable-eb71184e-305f-46f5-8219-c385f9dd6757"/> <cybox:Observable idref="mandiant:observable-5bdf04d0-249a-4ccf-b426-adf1b101c011"/> <cybox:Observable idref="mandiant:observable-39da8878-6a04-470a-ae03-a5d6891b5204"/> <cybox:Observable idref="mandiant:observable-6aa892aa-f658-4e99-9834-f63ac4d8275b"/> <cybox:Observable idref="mandiant:observable-c1c9b84d-71db-4b6f-95e8-0cf03888e557"/> <cybox:Observable idref="mandiant:observable-27b7f3ea-cc8c-4d56-9220-77e86de77f39"/> <cybox:Observable idref="mandiant:observable-20cb151e-bd47-474c-ae05-f750119a3331"/> <cybox:Observable idref="mandiant:observable-435ba428-56d7-4951-9be0-4b01f1cdcaaa"/> <cybox:Observable idref="mandiant:observable-a625282a-a5d8-4bbe-9d54-975e9ec8b96c"/> <cybox:Observable idref="mandiant:observable-dc50ee9e-0165-429d-97d3-ce06a35bc18d"/> <cybox:Observable idref="mandiant:observable-6d15ce62-f683-4cc6-a7eb-ebdbefd99ab1"/> <cybox:Observable idref="mandiant:observable-d9028cde-7303-4206-b0b3-6d01aab350b1"/> <cybox:Observable idref="mandiant:observable-20d9cc91-974a-4c29-b6c8-3c4a46021e70"/> <cybox:Observable idref="mandiant:observable-b805e1f3-9e23-4502-ab7d-f0de4c85cf3c"/> <cybox:Observable idref="mandiant:observable-58731d71-5941-445e-8649-fc6fa652e563"/> <cybox:Observable idref="mandiant:observable-569c4641-8dc1-407c-bb09-62097735ed36"/> <cybox:Observable idref="mandiant:observable-dec6e160-07e1-4b2d-9e27-79d2e62f7754"/> <cybox:Observable idref="mandiant:observable-dfda0e89-c86e-4194-acd9-e403f0fa0723"/> <cybox:Observable idref="mandiant:observable-4170ae29-4544-44d3-b44a-f9f3a3787544"/> <cybox:Observable idref="mandiant:observable-65dab442-cbe0-4d3c-a307-513950691b53"/> <cybox:Observable idref="mandiant:observable-36fd8439-0949-4f7c-bda1-f2582745391b"/> <cybox:Observable idref="mandiant:observable-525c8fc0-a40c-4efa-91bf-2220e96ac0a1"/> <cybox:Observable idref="mandiant:observable-35fc9391-a264-48d7-8847-e7b9f452dfab"/> <cybox:Observable idref="mandiant:observable-671c01a3-3ec7-455a-82fc-8ca84f8b0919"/> <cybox:Observable idref="mandiant:observable-80569e90-06d8-4abb-8506-a3a55e876c56"/> <cybox:Observable idref="mandiant:observable-ee25aefc-1da9-40e3-b23a-ec529abb4954"/> <cybox:Observable idref="mandiant:observable-e3249ab9-187c-4450-b821-fb0bf08d52ce"/> <cybox:Observable idref="mandiant:observable-97153ba0-c8e5-41cd-b7bb-d735a7ca33a0"/> <cybox:Observable idref="mandiant:observable-cfc55f27-5111-409f-b951-c81ae2244273"/> <cybox:Observable idref="mandiant:observable-1f2397c2-3985-4b86-b10c-13be9e606f68"/> <cybox:Observable idref="mandiant:observable-bc154de8-6af0-469b-92c6-57c51768cfa2"/> <cybox:Observable idref="mandiant:observable-e22f0176-f4ea-4ec1-b25d-b232f76c8777"/> <cybox:Observable idref="mandiant:observable-26815ccb-81f7-4394-bc0b-c162e0544d5b"/> <cybox:Observable idref="mandiant:observable-c8a420e8-3eab-4327-86ae-0cd34c2c7cc3"/> <cybox:Observable idref="mandiant:observable-683a261d-0d11-4d81-9974-f76244cf5f7f"/> <cybox:Observable idref="mandiant:observable-8164f745-0c7a-4971-9534-c32795908588"/> <cybox:Observable idref="mandiant:observable-2a604ece-4051-4e9c-bb04-00e3d9b62919"/> <cybox:Observable idref="mandiant:observable-4af929cc-8c82-4bee-ad17-dcf502c2f6d0"/> <cybox:Observable idref="mandiant:observable-d4cfaa14-c00b-4729-8730-c19bb7ccaca4"/> <cybox:Observable idref="mandiant:observable-caa9294b-a600-4186-9ade-64240f10e7e4"/> <cybox:Observable idref="mandiant:observable-5a75fcdb-49b6-4907-90c1-be1211df0d1d"/> <cybox:Observable idref="mandiant:observable-746e58c4-5833-4d83-b0fc-b7c8cd13d388"/> <cybox:Observable idref="mandiant:observable-ecf7494b-0ddf-42eb-bfd1-54caaad7b6c3"/> <cybox:Observable idref="mandiant:observable-0d0fc96e-7cbe-41d4-8ff1-27124e3b67eb"/> <cybox:Observable idref="mandiant:observable-547ce69a-45e6-447d-93cb-e3f8408a21f0"/> <cybox:Observable idref="mandiant:observable-cd2cdf22-32a9-4631-95e3-1ea82be40d9d"/> <cybox:Observable idref="mandiant:observable-6111ae05-51da-40cb-bcd7-8c7309c7cc6c"/> <cybox:Observable idref="mandiant:observable-459a8ca3-5f37-4170-a310-b2edf02364cb"/> <cybox:Observable idref="mandiant:observable-7ef04110-a2d2-41d9-918d-64e6a57f404e"/> <cybox:Observable idref="mandiant:observable-0e37846c-82ac-4a10-b13e-f38868432948"/> <cybox:Observable idref="mandiant:observable-4ae2a86e-d5b1-4216-be43-cebb94582e3d"/> <cybox:Observable idref="mandiant:observable-9968a740-8e3f-4cce-a36b-0d4bf4fc61c0"/> <cybox:Observable idref="mandiant:observable-7ef2f6ae-079b-4726-a5ac-e55552afbf7e"/> <cybox:Observable idref="mandiant:observable-a99a13ad-6ffb-4307-bdef-62b7867ce6ba"/> <cybox:Observable idref="mandiant:observable-7fcc9f01-571e-48cf-b9c9-ad1cfab31df1"/> <cybox:Observable idref="mandiant:observable-b869caca-0e0a-4f03-b5ab-7cc08a1b652b"/> <cybox:Observable idref="mandiant:observable-cde9b415-e358-488e-aa21-aff40ac98d23"/> <cybox:Observable idref="mandiant:observable-1034f34d-94f4-4d2b-934a-1de2c16f1eec"/> <cybox:Observable idref="mandiant:observable-730cc249-816f-4f97-ad2c-2d9e32225093"/> <cybox:Observable idref="mandiant:observable-5b8ece81-1cda-40bc-a5b8-3336ecdc50c1"/> <cybox:Observable idref="mandiant:observable-8e8bf688-5355-4612-99c9-466a1c697bba"/> <cybox:Observable idref="mandiant:observable-908c651a-c3b4-40c6-a14a-3ff89bedc201"/> <cybox:Observable idref="mandiant:observable-847065ca-076b-4f2d-bf5a-52d635ab2fff"/> <cybox:Observable idref="mandiant:observable-02ef1c30-77f2-40d2-a230-05d5a3d50cd5"/> <cybox:Observable idref="mandiant:observable-25b1e82b-e775-40b3-8a45-eb741eab7d11"/> <cybox:Observable idref="mandiant:observable-44c50c55-da30-4a8f-81d5-2ca4452ed8ca"/> <cybox:Observable idref="mandiant:observable-fa7824d9-a3b6-4538-bc52-a41e71b67e2d"/> <cybox:Observable idref="mandiant:observable-60a8b2c7-e984-4f65-83b3-6e8bb0e4f8f3"/> <cybox:Observable idref="mandiant:observable-c9be368c-5105-494c-9a9f-bbd8527bd878"/> <cybox:Observable idref="mandiant:observable-ef26adb1-8229-4857-834d-2fd0aed4bd61"/> <cybox:Observable idref="mandiant:observable-d6a606bd-9931-451b-941b-377d55775735"/> <cybox:Observable idref="mandiant:observable-19bc2607-f1d1-42d8-a417-0b88981ce9a1"/> <cybox:Observable idref="mandiant:observable-78b46b61-44bb-430a-b671-75a0752af73a"/> <cybox:Observable idref="mandiant:observable-34777547-62c7-4ab3-bc13-4dba65ca64e6"/> <cybox:Observable idref="mandiant:observable-0a7c6848-cf7c-43da-944a-c3459fe4f3c2"/> <cybox:Observable idref="mandiant:observable-ec005879-15d0-404b-b5b2-672f778a9720"/> <cybox:Observable idref="mandiant:observable-ea5a605d-135f-4958-872b-c918d7a0fe60"/> <cybox:Observable idref="mandiant:observable-c56cb637-df95-4ca1-8331-62e374681f49"/> <cybox:Observable idref="mandiant:observable-3a2ff9fb-d71a-4f01-936e-5388efefb515"/> <cybox:Observable idref="mandiant:observable-4c06b740-9ff8-49dd-bcc6-32433941411e"/> <cybox:Observable idref="mandiant:observable-ac8c800a-7cb6-42d5-aa4e-2e204219f921"/> <cybox:Observable idref="mandiant:observable-4b800446-1f51-4901-8207-f4a765d7e824"/> <cybox:Observable idref="mandiant:observable-46468ab0-0868-4482-8ab2-cc2e9d717a8d"/> <cybox:Observable idref="mandiant:observable-c6ee05b2-f173-4ebe-be00-dd30b192d70d"/> <cybox:Observable idref="mandiant:observable-1596173d-f923-4e7e-89c9-f2268cd0e4ee"/> <cybox:Observable idref="mandiant:observable-8392cd46-7c5f-4079-b846-486b4c4d0230"/> <cybox:Observable idref="mandiant:observable-403ff3cf-f214-4f80-88b5-f3acf6db91f0"/> <cybox:Observable idref="mandiant:observable-6ce3f781-0276-464a-a738-f2d5b2f4b3ff"/> <cybox:Observable idref="mandiant:observable-5dd9011a-4b8e-436c-81b0-c763c6e829f1"/> <cybox:Observable idref="mandiant:observable-ed8eb5dd-6688-4b7d-82cc-7ee23228fd61"/> <cybox:Observable idref="mandiant:observable-fc92a5be-9efb-4e97-b346-cfc41694fd47"/> <cybox:Observable idref="mandiant:observable-0f17dc1b-dc37-4347-814f-743b693de027"/> <cybox:Observable idref="mandiant:observable-8ddadd0e-7f42-479b-9302-a3242ef06384"/> <cybox:Observable idref="mandiant:observable-6a51dbc6-2057-4937-9bda-b59a7b75f055"/> <cybox:Observable idref="mandiant:observable-fc9d13f8-2b83-46f0-93e4-4723602ae018"/> <cybox:Observable idref="mandiant:observable-afc4e166-2691-402a-bc5c-dc42c3d6b8f1"/> <cybox:Observable idref="mandiant:observable-1962f1db-579e-4c59-8f3d-542773d94685"/> <cybox:Observable idref="mandiant:observable-66f036a9-7356-49ca-b6f0-704df83fa1d8"/> <cybox:Observable idref="mandiant:observable-e46f8aa4-a6ea-4257-a62d-60cfbd9022db"/> <cybox:Observable idref="mandiant:observable-b75540ac-8276-44cf-a3fe-1da07b7bda18"/> <cybox:Observable idref="mandiant:observable-0f5dcb7e-02f5-47dc-8d06-8c502e0d0406"/> <cybox:Observable idref="mandiant:observable-fbe2d37c-af39-4317-b873-41af01884128"/> <cybox:Observable idref="mandiant:observable-c1c9cedb-d74c-4e26-8a39-c23acf1964ea"/> <cybox:Observable idref="mandiant:observable-e4dde78b-599f-4f4d-9b9b-4516dac8e9ae"/> <cybox:Observable idref="mandiant:observable-be04e251-82c5-4a90-9595-05502e582e13"/> <cybox:Observable idref="mandiant:observable-08b62b93-be74-4584-9685-3c101322f569"/> <cybox:Observable idref="mandiant:observable-59beae91-c2ad-4af2-b5b0-116528e7a41f"/> <cybox:Observable idref="mandiant:observable-08742793-fe7c-45fb-97cf-80e84d63551e"/> <cybox:Observable idref="mandiant:observable-3a0f2fe3-e881-4da3-a161-ffdd3ca0994f"/> <cybox:Observable idref="mandiant:observable-9a6d698b-8794-41e7-a607-ee1ff3ab4834"/> <cybox:Observable idref="mandiant:observable-f24539e2-dade-4bb8-9d8d-f11da6eafde4"/> <cybox:Observable idref="mandiant:observable-e1f6f860-28a1-4f0b-82e1-b2dcf3e70a85"/> <cybox:Observable idref="mandiant:observable-37b36018-0778-4cf6-b16c-7c5c47c030a9"/> <cybox:Observable idref="mandiant:observable-2378a653-b5fd-46bb-b242-f945ed89d293"/> <cybox:Observable idref="mandiant:observable-334ac7e0-1702-4cbd-a994-8709862b7b69"/> <cybox:Observable idref="mandiant:observable-ea32adaf-4049-4a91-a41a-a87884304724"/> <cybox:Observable idref="mandiant:observable-c4f3cffa-9df6-40d7-ace8-f9d1d8ba6ea7"/> <cybox:Observable idref="mandiant:observable-99178fe8-bfad-46da-a4b5-8c48945fe9d3"/> <cybox:Observable idref="mandiant:observable-b7107552-865c-4ed2-98c6-098c1dab40a9"/> <cybox:Observable idref="mandiant:observable-6f49e9fa-76d0-414b-ab9d-39134e6a0390"/> <cybox:Observable idref="mandiant:observable-7a25dc81-851e-4eb0-8abe-45d8358ab2bb"/> <cybox:Observable idref="mandiant:observable-397a7b49-bb8e-4f1d-8184-83ac9d207398"/> <cybox:Observable idref="mandiant:observable-38822ca2-da3c-4227-98d4-99f6e5ff0ecb"/> <cybox:Observable idref="mandiant:observable-9d06abfc-7aa5-47de-94bd-6e7eed8b3e6f"/> <cybox:Observable idref="mandiant:observable-c6e06654-0679-41f6-a20e-ffbbbd7a1f16"/> <cybox:Observable idref="mandiant:observable-248ed2af-7364-4aa6-b538-2aa921ce7853"/> <cybox:Observable idref="mandiant:observable-21d16b13-0d58-49f0-b428-be6c85a0aab0"/> <cybox:Observable idref="mandiant:observable-88f98414-fac5-4f39-ad01-4b53142fce0a"/> <cybox:Observable idref="mandiant:observable-fee95377-eb3f-4430-aa6e-7e2c8595e0f5"/> <cybox:Observable idref="mandiant:observable-e33113ac-7c7e-4018-ba18-ae2f2bada74f"/> <cybox:Observable idref="mandiant:observable-5f00eab4-7366-4e1c-9aa5-a4038ff5d922"/> <cybox:Observable idref="mandiant:observable-3b36e365-2e22-42a0-991a-b301bcd20167"/> <cybox:Observable idref="mandiant:observable-bc4afa08-94a9-4396-b400-a5c4e48a690f"/> <cybox:Observable idref="mandiant:observable-ab35a0d7-912c-450f-a408-10edba70b5a2"/> <cybox:Observable idref="mandiant:observable-f70884aa-cefb-4118-b78a-ee530bb8b294"/> <cybox:Observable idref="mandiant:observable-4e11eed7-9abd-4d35-8444-16f8b63aafaa"/> <cybox:Observable idref="mandiant:observable-c39460ba-79a3-4b47-b982-08979b03ac34"/> <cybox:Observable idref="mandiant:observable-0994c45a-1b81-4005-bf3f-2ce62953f5ad"/> <cybox:Observable idref="mandiant:observable-f1e2829e-a167-4def-ac7d-9e6376bb8955"/> <cybox:Observable idref="mandiant:observable-551ab1c8-62fd-48fa-9123-36c80aa8d42f"/> <cybox:Observable idref="mandiant:observable-6a94f445-c25d-465a-ba30-ee38f2c7da9b"/> <cybox:Observable idref="mandiant:observable-e4e373d5-4db3-47fe-9bdd-f39df988efe8"/> <cybox:Observable idref="mandiant:observable-86ce26a5-3591-4cb9-b59a-824f50c23e73"/> <cybox:Observable idref="mandiant:observable-eb4a8a89-d8dc-415d-a71c-367ca9e73665"/> <cybox:Observable idref="mandiant:observable-ace22436-43cb-438e-981d-e3aaa5e769a4"/> <cybox:Observable idref="mandiant:observable-f5823e4c-44e5-4ac4-af09-cabc298dc45e"/> <cybox:Observable idref="mandiant:observable-35be0a1d-546d-4caa-abaa-f865e7cb7ca1"/> <cybox:Observable idref="mandiant:observable-8dd03e58-b079-4e33-87e9-2d173383601c"/> <cybox:Observable idref="mandiant:observable-2862b907-8108-45c2-96e8-5c67459fd3c3"/> <cybox:Observable idref="mandiant:observable-ca0f64b1-91ed-4ee1-89f7-7a24ab485cd2"/> <cybox:Observable idref="mandiant:observable-f52198ec-5b13-4898-8171-119098c6c52e"/> <cybox:Observable idref="mandiant:observable-b125df15-52a2-4e2d-bc85-8e968f829b1d"/> <cybox:Observable idref="mandiant:observable-29903d16-d5f1-408a-8d21-e76a6a4a8bf1"/> <cybox:Observable idref="mandiant:observable-67a6269e-6339-41af-ab77-6f9376989bb7"/> <cybox:Observable idref="mandiant:observable-8353402f-e63a-414e-9ab9-7e86bc6a780f"/> <cybox:Observable idref="mandiant:observable-3bfba55a-068d-4349-9451-b234bffc7752"/> <cybox:Observable idref="mandiant:observable-fae77798-ac64-4a36-b045-e502e7d0907c"/> <cybox:Observable idref="mandiant:observable-18cafb49-fcb7-42a3-ac49-114471d6b60e"/> <cybox:Observable idref="mandiant:observable-4605d882-3903-4bc1-a435-54afb15ab622"/> <cybox:Observable idref="mandiant:observable-88f71b56-0790-4c08-816a-a47899b19482"/> <cybox:Observable idref="mandiant:observable-2214462b-7913-4b2d-abaa-1e14f74648ce"/> <cybox:Observable idref="mandiant:observable-65db8863-394f-45b0-895a-f19d82aba765"/> <cybox:Observable idref="mandiant:observable-3c3c3dbf-ef47-44cb-a0c3-94e86cb46a0c"/> <cybox:Observable idref="mandiant:observable-787c0145-fc03-49cf-93eb-243b13b48a0a"/> <cybox:Observable idref="mandiant:observable-0fb08469-f6f1-4c66-bc67-31c76b0aedeb"/> <cybox:Observable idref="mandiant:observable-063a8a6d-1c5f-4983-9dd6-789073a28d67"/> <cybox:Observable idref="mandiant:observable-45f8cb0e-7cad-454a-99f7-b5f40436f434"/> <cybox:Observable idref="mandiant:observable-ab0dccc5-2ab2-4a0f-815b-90e8c29f64dc"/> <cybox:Observable idref="mandiant:observable-e2170e8e-0437-47cf-aac5-1fd90bdeb953"/> <cybox:Observable idref="mandiant:observable-beebab22-445f-4d29-bd65-98847863c5c0"/> <cybox:Observable idref="mandiant:observable-bf2c5c0f-2416-469a-abd8-d5168ce018b9"/> <cybox:Observable idref="mandiant:observable-35b9f095-5f44-4686-a19d-1f5ec89825e8"/> <cybox:Observable idref="mandiant:observable-49065513-2cbe-4139-8f2f-522859593006"/> <cybox:Observable idref="mandiant:observable-f5cd2c03-bf5a-4d91-a2d5-9425564c7ad0"/> <cybox:Observable idref="mandiant:observable-24f98694-f3b6-48f0-b57e-f04c3c394b5e"/> <cybox:Observable idref="mandiant:observable-93a582c6-5653-44fd-85d2-840a546a9c1e"/> <cybox:Observable idref="mandiant:observable-08b90e51-8472-48f8-bf2a-8c5b01a811a0"/> <cybox:Observable idref="mandiant:observable-618986ce-43a1-4f77-a639-f6812b90d059"/> <cybox:Observable idref="mandiant:observable-4b2254df-ca35-47b7-a1d6-e445d2d3983a"/> <cybox:Observable idref="mandiant:observable-24d450aa-0ed1-423c-8b04-f7354ececee2"/> <cybox:Observable idref="mandiant:observable-3de7fcdd-2468-4fc1-849c-19422b0fb610"/> <cybox:Observable idref="mandiant:observable-7df638f2-2b8f-42cd-8302-87f1015b59af"/> <cybox:Observable idref="mandiant:observable-c888b9dc-cd7f-466b-8e57-a61d3b9b973e"/> <cybox:Observable idref="mandiant:observable-7e6234ce-83d1-4d60-a5e9-013cdd61e3db"/> <cybox:Observable idref="mandiant:observable-b43f1e82-aa52-4c9a-913c-de8f16a355b8"/> <cybox:Observable idref="mandiant:observable-ec6dce46-94ef-4960-95d8-ac52fd27f0c4"/> <cybox:Observable idref="mandiant:observable-e21bb7d2-fd72-4e9f-889f-3d77034ae2a4"/> <cybox:Observable idref="mandiant:observable-793c3646-6a5b-4bf4-8988-1229253dd0ae"/> <cybox:Observable idref="mandiant:observable-3f9a64d4-b613-4e74-8663-dc926488f9bf"/> <cybox:Observable idref="mandiant:observable-3d1e2fca-0041-4e36-89b3-7e72109a341b"/> <cybox:Observable idref="mandiant:observable-a6d215a3-c982-470d-955f-a46809f11be4"/> <cybox:Observable idref="mandiant:observable-30e82aa9-a0d5-469f-88a5-14b1106f15b9"/> <cybox:Observable idref="mandiant:observable-a261b463-e03d-405c-9260-6cd5de908afb"/> <cybox:Observable idref="mandiant:observable-242ea7d1-556b-4a56-ae9e-944b933fc3c0"/> <cybox:Observable idref="mandiant:observable-3f6ecafc-9fc9-437a-9edb-d9d1b0d7b23c"/> <cybox:Observable idref="mandiant:observable-99c32c9c-63c1-490f-9547-c10c2d2d8e46"/> <cybox:Observable idref="mandiant:observable-facc86c9-b8bf-4440-aed7-37d672b86e85"/> <cybox:Observable idref="mandiant:observable-a0a57eb6-d65b-49e1-9335-bfd351967120"/> <cybox:Observable idref="mandiant:observable-c23e845f-0bc4-4c46-a5bf-918ba7e1d89d"/> <cybox:Observable idref="mandiant:observable-80a250a7-45f0-4906-8d3d-07740940cde3"/> <cybox:Observable idref="mandiant:observable-bbb0c823-f06d-40e6-adfb-f7777daaaf65"/> <cybox:Observable idref="mandiant:observable-730da6e4-d34c-4bfd-9737-eed179ad750f"/> <cybox:Observable idref="mandiant:observable-caca04e0-13a4-4da0-a13d-32bb8f0f5886"/> <cybox:Observable idref="mandiant:observable-c5f4875f-bd83-4f49-8f91-a35c9f37d078"/> <cybox:Observable idref="mandiant:observable-21f4ecd5-0708-41d2-ab8e-584ccf623aab"/> <cybox:Observable idref="mandiant:observable-2d2ac7c3-8b41-4ae4-b423-aa23f82f08da"/> <cybox:Observable idref="mandiant:observable-61a178f2-df41-4921-83ae-a0dff5d58a03"/> <cybox:Observable idref="mandiant:observable-a4f42eea-f620-43bc-bf44-1124dfbf725a"/> <cybox:Observable idref="mandiant:observable-35026c99-16ff-4f99-9e10-d711c69b46e4"/> <cybox:Observable idref="mandiant:observable-88212ea8-b9c0-436e-bcdf-bf0559c16570"/> <cybox:Observable idref="mandiant:observable-b266e711-b366-4beb-ac83-7e664f1da2fb"/> <cybox:Observable idref="mandiant:observable-3bbbe3e2-7eda-44f1-b673-218d8fa55d3a"/> <cybox:Observable idref="mandiant:observable-2db75f0e-3170-4717-88dd-8448d6e3d8ee"/> <cybox:Observable idref="mandiant:observable-e74c0a3f-fce3-4866-aa0b-b94692611fbe"/> <cybox:Observable idref="mandiant:observable-43ad4215-c7a6-47c4-882e-1bee62dce3ea"/> <cybox:Observable idref="mandiant:observable-1c29f192-3c04-4460-aeda-eba1d2eae6c1"/> <cybox:Observable idref="mandiant:observable-38fae862-37c4-4477-94dd-7ca59e25b702"/> <cybox:Observable idref="mandiant:observable-f6077161-29f9-49ef-b1a4-069cc33a5e36"/> <cybox:Observable idref="mandiant:observable-6e52337f-5ba6-44fd-a718-62c7cfa21ad5"/> <cybox:Observable idref="mandiant:observable-d5f12020-699e-43e9-b6c1-28da1e548ba2"/> <cybox:Observable idref="mandiant:observable-78463e6d-3b49-4c81-b2de-7c1e77ef59d1"/> <cybox:Observable idref="mandiant:observable-28f31a01-8a90-4275-ab21-d7f62f100f02"/> <cybox:Observable idref="mandiant:observable-aa13179f-7b1e-42c7-b912-0fcbb536904e"/> <cybox:Observable idref="mandiant:observable-72fa8a43-78fa-458a-928a-d98a15b679ce"/> <cybox:Observable idref="mandiant:observable-c2bc3a01-41b1-4324-b590-557d520c679e"/> <cybox:Observable idref="mandiant:observable-2501d25c-ae2c-459b-85ad-029eeae0b993"/> <cybox:Observable idref="mandiant:observable-9351f32d-0b46-4ec7-b65c-6ac7df141582"/> <cybox:Observable idref="mandiant:observable-88e8261b-0f4c-4736-a653-e752453546d9"/> <cybox:Observable idref="mandiant:observable-5599fa3d-945a-4bf8-bef2-68fbc7c205be"/> <cybox:Observable idref="mandiant:observable-402db31f-c82c-443f-9d3a-a797e77ffd10"/> <cybox:Observable idref="mandiant:observable-10c51bbc-aab0-4143-8fb0-91b27a2688e9"/> <cybox:Observable idref="mandiant:observable-2cd52238-d7d3-408a-ba09-a63a95ae160e"/> <cybox:Observable idref="mandiant:observable-0b7a4f20-da90-4af7-8f9d-7c0c44e889c9"/> <cybox:Observable idref="mandiant:observable-a616730f-e5e6-4978-afc5-cf787245c676"/> <cybox:Observable idref="mandiant:observable-f8242e9c-fd45-4f9e-bb97-f46b70f9bdef"/> <cybox:Observable idref="mandiant:observable-73b8ab0a-ee16-4f76-8e25-bf5c03d24ed9"/> <cybox:Observable idref="mandiant:observable-e8b51a63-4891-45e3-9d89-f41659e80034"/> <cybox:Observable idref="mandiant:observable-05135d31-a7a2-48f5-a611-78659f78fed1"/> <cybox:Observable idref="mandiant:observable-18ca68c7-0226-4e7e-a390-cfea1954abe1"/> <cybox:Observable idref="mandiant:observable-b4835458-5f6d-43c1-871f-3ee59a1dfa74"/> <cybox:Observable idref="mandiant:observable-aba45806-0d84-43e9-a0a5-4dc2cfb8d1de"/> <cybox:Observable idref="mandiant:observable-68c33374-5541-4c3f-9504-35688581fba7"/> <cybox:Observable idref="mandiant:observable-f34f5cc3-6bf6-42c6-9717-3b1534689dca"/> <cybox:Observable idref="mandiant:observable-c722f004-cc1e-41e4-9a42-50a91ca3ee13"/> <cybox:Observable idref="mandiant:observable-77f453bc-6e1d-4702-87e0-bfcf737cfae2"/> <cybox:Observable idref="mandiant:observable-5523678d-401c-4b68-aadc-180bca8a43ea"/> <cybox:Observable idref="mandiant:observable-40d39716-f0bb-4360-a1f7-4c487a544e52"/> <cybox:Observable idref="mandiant:observable-db0b3904-e4ce-4ba7-b78a-997dfc7294ad"/> <cybox:Observable idref="mandiant:observable-4e906014-3f3f-4195-a4d7-9692af02c769"/> <cybox:Observable idref="mandiant:observable-f68e07c1-84f1-4adb-993b-e30623d2b0a2"/> <cybox:Observable idref="mandiant:observable-baea7191-c99c-41cb-b77a-9613e0862c4d"/> <cybox:Observable idref="mandiant:observable-9691e34e-db47-43c8-a10c-9fca493c2f08"/> <cybox:Observable idref="mandiant:observable-ab0da8b0-a378-49b0-8988-ac306a0e300d"/> <cybox:Observable idref="mandiant:observable-692dd347-aa8a-4c5e-ae11-992ab92c25bd"/> <cybox:Observable idref="mandiant:observable-58675ee5-ecfd-4f82-8141-852229abc057"/> <cybox:Observable idref="mandiant:observable-429aca10-0269-475e-83fc-178768f88cd1"/> <cybox:Observable idref="mandiant:observable-197c2433-0ff1-4e12-8523-552090491d32"/> <cybox:Observable idref="mandiant:observable-7a2fdbf8-7995-441a-95f5-3aed2db1e4ed"/> <cybox:Observable idref="mandiant:observable-29888eb8-ce8e-4548-bdca-7e6bbc145a7e"/> <cybox:Observable idref="mandiant:observable-16859489-bf90-4c44-b6f1-1146258871c2"/> <cybox:Observable idref="mandiant:observable-f1053374-a3b6-41c1-bbd0-e9b9e92b5a97"/> <cybox:Observable idref="mandiant:observable-516c2663-5851-4c26-aba0-46d0dc1753e2"/> <cybox:Observable idref="mandiant:observable-2bcaef53-b39e-4a60-8a68-bb8a187f5348"/> <cybox:Observable idref="mandiant:observable-52374985-61b0-488c-8604-81041f214bda"/> <cybox:Observable idref="mandiant:observable-bc9243b2-205d-4b7b-8a5d-1b2eadb493db"/> <cybox:Observable idref="mandiant:observable-4f414936-b5f0-48cf-a86d-64f25490e994"/> <cybox:Observable idref="mandiant:observable-a6e92acd-e501-4fcf-97fa-70279caf4281"/> <cybox:Observable idref="mandiant:observable-1fce39bd-9034-48b0-9c5a-f4014b288fc6"/> <cybox:Observable idref="mandiant:observable-d799b3b2-65f7-475c-ac3a-2de5848bda51"/> <cybox:Observable idref="mandiant:observable-f5dcbb05-92dc-49db-a75b-30147a473fde"/> <cybox:Observable idref="mandiant:observable-505a3b18-1ccb-4053-b97d-73098706731d"/> <cybox:Observable idref="mandiant:observable-8c43952d-d204-466b-9245-afcd5aa28a78"/> <cybox:Observable idref="mandiant:observable-366e97fa-a5e0-48c1-b7e1-5b52287ee306"/> <cybox:Observable idref="mandiant:observable-06d1a19f-dda5-47b8-85f2-7b12e29bcbb5"/> <cybox:Observable idref="mandiant:observable-62cf077f-d030-4137-aae3-09816bf2ef61"/> <cybox:Observable idref="mandiant:observable-c1c28821-0670-4e5c-8c20-c66b047fb24a"/> <cybox:Observable idref="mandiant:observable-f8125fae-93dd-4c74-90b9-a4ed878bf0a3"/> <cybox:Observable idref="mandiant:observable-82ab7c92-d254-489e-9163-1610b73fa4b5"/> <cybox:Observable idref="mandiant:observable-6778068c-cbcc-425d-a972-e06417e8cfe8"/> <cybox:Observable idref="mandiant:observable-4a7bd981-b6ca-408b-b494-990fad2395a4"/> <cybox:Observable idref="mandiant:observable-abc6ce39-f145-4e87-b66a-bcf43f549543"/> <cybox:Observable idref="mandiant:observable-31e7a16d-16ae-4cf9-b009-488616960e6b"/> <cybox:Observable idref="mandiant:observable-466c38cb-fb4e-4ba7-b240-9669f18e5a69"/> <cybox:Observable idref="mandiant:observable-c31874e1-7a11-4880-ab82-06d1caabc127"/> <cybox:Observable idref="mandiant:observable-40ed1d0d-d8ce-424b-a0cc-12a91e967667"/> <cybox:Observable idref="mandiant:observable-f677abab-b01b-4fce-b816-ae445a06f3cf"/> <cybox:Observable idref="mandiant:observable-1f03140b-a1ba-404d-87da-dc056f38b2c2"/> <cybox:Observable idref="mandiant:observable-ee46fcd4-3db7-43d9-982e-c1f355cb8a2d"/> <cybox:Observable idref="mandiant:observable-3e11f44a-a281-402e-94fa-2c5b5e11afc8"/> <cybox:Observable idref="mandiant:observable-105ba0b5-98ff-4ec0-9924-8e2d9aea9ae5"/> <cybox:Observable idref="mandiant:observable-ff34011f-82fc-4724-a777-72dcb9b71669"/> <cybox:Observable idref="mandiant:observable-6df46401-4584-4a71-80e7-a4bfae13af47"/> <cybox:Observable idref="mandiant:observable-dbe6656d-7fb5-4eb6-8af4-55090729346d"/> <cybox:Observable idref="mandiant:observable-4922ceda-a600-4d77-b0fb-da22546dfbf1"/> <cybox:Observable idref="mandiant:observable-0e5cade4-6142-45f8-9352-e6b2135ef855"/> <cybox:Observable idref="mandiant:observable-9c48ccf0-88cb-4deb-b6c9-6bcbd9b5cfce"/> <cybox:Observable idref="mandiant:observable-27f96c28-2b32-4fde-a6fc-83c70c8cb85f"/> <cybox:Observable idref="mandiant:observable-b659bc12-8ce3-4bb4-b860-ff1ac8481f1b"/> <cybox:Observable idref="mandiant:observable-06f2180a-cd95-4b07-a11f-1505119796ce"/> <cybox:Observable idref="mandiant:observable-3dfadc75-39ee-4caa-bf0f-419bc2cba91e"/> <cybox:Observable idref="mandiant:observable-4f3c9762-9c28-4c44-a5a1-100451d94db8"/> <cybox:Observable idref="mandiant:observable-d900959c-d0a2-4b9e-bd52-dc37a15b0384"/> <cybox:Observable idref="mandiant:observable-458e871a-f71f-4951-9913-6ddd05d05187"/> <cybox:Observable idref="mandiant:observable-09378fd1-d8c0-4776-979b-5bd9edf3c4ee"/> <cybox:Observable idref="mandiant:observable-037141d8-7bf5-49f6-bcbb-593c95a93afa"/> <cybox:Observable idref="mandiant:observable-6bc51ce5-9ffc-45c4-9ace-434e971d01af"/> <cybox:Observable idref="mandiant:observable-4b572912-d252-459a-a96b-c3831577f5a1"/> <cybox:Observable idref="mandiant:observable-664d4ff1-4b8b-4b8a-b1e2-984468b91124"/> <cybox:Observable idref="mandiant:observable-b9f5122c-69f7-476c-92c8-98f938680b24"/> <cybox:Observable idref="mandiant:observable-c4a48724-3122-4808-9d81-5aec50f4f353"/> <cybox:Observable idref="mandiant:observable-e6f1a8e1-9e63-4b79-adce-632afe00b852"/> <cybox:Observable idref="mandiant:observable-be895f16-33ac-43bd-bf12-27ec9bf99bce"/> <cybox:Observable idref="mandiant:observable-b21afd11-b416-44b4-abb9-c23227c3849d"/> <cybox:Observable idref="mandiant:observable-5c21d3cf-36df-4aad-aadd-025251e3afc5"/> <cybox:Observable idref="mandiant:observable-30d502b3-8ff5-4b49-b914-41cfdeb3e33d"/> <cybox:Observable idref="mandiant:observable-bda0241d-f41b-4732-87eb-212ee38f4d4c"/> <cybox:Observable idref="mandiant:observable-b33d4d1a-36fb-4a78-b30b-c90144b27fff"/> <cybox:Observable idref="mandiant:observable-47c15c0a-2e85-4a51-9cd7-8e5c7e090c13"/> <cybox:Observable idref="mandiant:observable-88c052a4-aeca-4bbe-910f-4a4e985b19c1"/> <cybox:Observable idref="mandiant:observable-9fdf7436-dcfc-44e6-9682-ede1a904a8d6"/> <cybox:Observable idref="mandiant:observable-9f8e1195-cfd8-4758-a0ab-0662f8a25153"/> <cybox:Observable idref="mandiant:observable-9efb7d6a-9e86-4e8a-a7fa-3506bddcb11f"/> <cybox:Observable idref="mandiant:observable-cec0f07a-1b8a-4808-a01a-30831ec6f1b9"/> <cybox:Observable idref="mandiant:observable-0afb9eab-d49c-4d0e-a92c-22c3c2fe68fd"/> <cybox:Observable idref="mandiant:observable-1805fcba-aa2c-4ba3-8af3-799ef76ef233"/> <cybox:Observable idref="mandiant:observable-e673611e-0a91-4ee6-b1f2-e050786b86b1"/> <cybox:Observable idref="mandiant:observable-8f20a71d-fdc8-4c62-8653-2d5a47b47538"/> <cybox:Observable idref="mandiant:observable-860cd4de-858f-4377-a0f1-5547528449b2"/> <cybox:Observable idref="mandiant:observable-c1cee7fc-1445-4b83-aa8a-a4fe201242be"/> <cybox:Observable idref="mandiant:observable-fe64f26b-93c6-47d5-b07c-53e80dda5d71"/> <cybox:Observable idref="mandiant:observable-f2291c9a-18a2-462e-bce3-647ec6553c33"/> <cybox:Observable idref="mandiant:observable-ddfdb883-32b5-4291-a2c8-a56f4591d23c"/> <cybox:Observable idref="mandiant:observable-741c5c64-4c0d-4a88-9094-dc0fbeb83b52"/> <cybox:Observable idref="mandiant:observable-25aec029-7e15-4c9c-8292-cea5e05b811d"/> <cybox:Observable idref="mandiant:observable-cc257cdc-fdfe-45ba-b86a-14ebf3372169"/> <cybox:Observable idref="mandiant:observable-cd2333fb-5078-4da7-ae4d-89245496790b"/> <cybox:Observable idref="mandiant:observable-e3cb60ae-ea22-4747-a006-713e432bcb61"/> <cybox:Observable idref="mandiant:observable-635fd8ae-d31f-4df1-8150-7f05d92bf25c"/> <cybox:Observable idref="mandiant:observable-c5aeccc1-a893-433c-abb9-7614e0db2ca0"/> <cybox:Observable idref="mandiant:observable-ce72d543-62fc-42f2-ad7f-66af65afe283"/> <cybox:Observable idref="mandiant:observable-bd4632c6-db72-43f7-b310-528a092f1c2c"/> <cybox:Observable idref="mandiant:observable-a286532e-fc8e-4536-bd96-2a40f71f214c"/> <cybox:Observable idref="mandiant:observable-fbebb317-e18c-4200-b0bd-2053a37a05f5"/> <cybox:Observable idref="mandiant:observable-9d09ab31-9629-4ee8-ba2d-95a4005c36f7"/> <cybox:Observable idref="mandiant:observable-8a8f3581-1eb8-4ccf-a10b-08713124835c"/> <cybox:Observable idref="mandiant:observable-f3a7a07d-0cc9-4283-92b7-18fd91ea48ee"/> <cybox:Observable idref="mandiant:observable-fd7efdda-4cc9-472d-b5c9-d1630c9699ee"/> <cybox:Observable idref="mandiant:observable-bea2fd16-a0c1-4172-bfd1-d9eb4ac5bfce"/> <cybox:Observable idref="mandiant:observable-7a1efd44-7c2c-465f-bcc3-683cbce315fa"/> <cybox:Observable idref="mandiant:observable-afa87e92-cfe2-42b9-9287-e5c555a4252c"/> <cybox:Observable idref="mandiant:observable-a548aa9a-a6d2-40bf-9f59-7757252a18d5"/> <cybox:Observable idref="mandiant:observable-bfbb6695-1a79-45d8-963a-4b586550f7c8"/> <cybox:Observable idref="mandiant:observable-9193beaa-8f85-4dc9-aac8-530a8fa438d0"/> <cybox:Observable idref="mandiant:observable-59a72444-46ab-4760-847f-a88b883079c5"/> <cybox:Observable idref="mandiant:observable-2c1d1562-23b0-48fe-89db-70d82bb6eaa0"/> <cybox:Observable idref="mandiant:observable-93ad3a5e-5c01-44c8-b126-e3aa33fe9b50"/> <cybox:Observable idref="mandiant:observable-c1fed046-0101-4913-bdaf-14b9bc0a18c0"/> <cybox:Observable idref="mandiant:observable-18371776-be36-4164-9809-dca4f6e2c54d"/> <cybox:Observable idref="mandiant:observable-127e0155-59b1-4b54-b0df-b67ed488ef43"/> <cybox:Observable idref="mandiant:observable-b249bc1e-558b-49a1-bcd1-38fc1192184b"/> <cybox:Observable idref="mandiant:observable-dff39bfc-3520-4194-aed5-d7d8b11da95c"/> <cybox:Observable idref="mandiant:observable-4b8894ae-6f5c-44a2-8f3a-4d7f377e58df"/> <cybox:Observable idref="mandiant:observable-a4f7fb70-3852-4bda-86d7-9db0762ed860"/> <cybox:Observable idref="mandiant:observable-0e2cf034-f439-4f8f-bd26-67cd8b6924a7"/> <cybox:Observable idref="mandiant:observable-40442ba4-c8d9-4f56-a6d4-02f9a9eb759a"/> <cybox:Observable idref="mandiant:observable-47632f04-cf80-4a3a-9be3-49c51737e3a6"/> <cybox:Observable idref="mandiant:observable-ff91f6cd-9224-4140-b63d-725395bc302e"/> <cybox:Observable idref="mandiant:observable-79d239c8-9a87-425b-b1e3-885478cb491b"/> <cybox:Observable idref="mandiant:observable-2918bf8e-de76-4c40-8223-b3bf5d23c015"/> <cybox:Observable idref="mandiant:observable-c36388b0-1c9d-4b3b-a214-1e834424e038"/> <cybox:Observable idref="mandiant:observable-88c41ccf-ba5a-4481-8734-846a2fca9bfc"/> <cybox:Observable idref="mandiant:observable-dba8c03c-9da0-46d4-a96a-0a29688f0209"/> <cybox:Observable idref="mandiant:observable-c5b93855-5f9d-4975-b2a8-12434713e2ad"/> <cybox:Observable idref="mandiant:observable-bf64add6-84fa-4a61-a5a2-7ee57b93ab9d"/> <cybox:Observable idref="mandiant:observable-9b6f7ee3-75b9-4435-80c5-fd3f391c9517"/> <cybox:Observable idref="mandiant:observable-16e5ee37-c58b-434c-81f5-b005f925cfe4"/> <cybox:Observable idref="mandiant:observable-b43b3b1a-3b9d-4465-a8b2-0b5359c82349"/> <cybox:Observable idref="mandiant:observable-778bb896-fd5b-4295-9a2e-261da6d7afcf"/> <cybox:Observable idref="mandiant:observable-a305bcbd-6530-4eb0-ab76-617b0d6f3ff4"/> <cybox:Observable idref="mandiant:observable-e327513f-e356-4eb4-afbf-e083252cdf76"/> <cybox:Observable idref="mandiant:observable-cb3bd9c5-6c66-4dc2-8b83-6a39397453c4"/> <cybox:Observable idref="mandiant:observable-99f56bf0-7902-4e5b-8b41-768a5dfd2b96"/> <cybox:Observable idref="mandiant:observable-1675c825-73c8-4ee5-962f-0911c5716311"/> <cybox:Observable idref="mandiant:observable-55c75143-4726-4a55-b7b0-4bdaa6a5234c"/> <cybox:Observable idref="mandiant:observable-6ac300d9-0910-4af2-9aab-8fdbb03a2338"/> <cybox:Observable idref="mandiant:observable-1309e5fc-7e4c-4534-a3b7-654a3a79b755"/> <cybox:Observable idref="mandiant:observable-44ddd4b4-88f2-435c-95b9-f0f1d774820d"/> <cybox:Observable idref="mandiant:observable-8a67f354-3481-40ee-b535-17e89368cedc"/> <cybox:Observable idref="mandiant:observable-b5984919-de73-4b2e-8044-c0faf89cd84c"/> <cybox:Observable idref="mandiant:observable-bfe936f9-c6f7-415e-a773-e2aa7cfeb67b"/> <cybox:Observable idref="mandiant:observable-8411b4d0-4ca9-433a-a228-ffc55021b8a6"/> <cybox:Observable idref="mandiant:observable-cb224b30-fe35-45a3-9d61-2c47447faefd"/> <cybox:Observable idref="mandiant:observable-79b250fb-f337-4fe4-a1fd-0f14db527123"/> <cybox:Observable idref="mandiant:observable-dce5008b-b485-4a58-bbee-01b83de1a67f"/> <cybox:Observable idref="mandiant:observable-88aabd0a-db00-458e-b465-2338d382b4db"/> <cybox:Observable idref="mandiant:observable-43bffb9e-802b-42b0-8aec-93e785a90b0a"/> <cybox:Observable idref="mandiant:observable-76cca676-a146-452d-9d1b-75aa4f16d973"/> <cybox:Observable idref="mandiant:observable-12b8eecb-ea79-4762-a8b2-55daa5d84cb9"/> <cybox:Observable idref="mandiant:observable-3b3d360f-e462-4b05-934f-48837101f16e"/> <cybox:Observable idref="mandiant:observable-e829d5aa-4c8a-4993-8418-f7b26962eb9b"/> <cybox:Observable idref="mandiant:observable-0589fdff-fa2f-47ca-af83-408d25e2bfc3"/> <cybox:Observable idref="mandiant:observable-703f60a3-3734-42db-9e5b-f25a390834f3"/> <cybox:Observable idref="mandiant:observable-3dffcf7e-4b32-4fab-8720-3d4ca21e8676"/> <cybox:Observable idref="mandiant:observable-da151c43-42bc-400a-95cb-a4794e40ea72"/> <cybox:Observable idref="mandiant:observable-ccee62c8-935e-49b1-b0f5-a68ea17afa36"/> <cybox:Observable idref="mandiant:observable-83d97026-3661-4ce7-8573-b9f13087aeae"/> <cybox:Observable idref="mandiant:observable-dcf4fafc-8b52-419a-a869-2dc3881b57dd"/> <cybox:Observable idref="mandiant:observable-b9964cd0-9159-4154-ad12-6ea8b82b1919"/> <cybox:Observable idref="mandiant:observable-0113078d-92fe-4021-b8ea-b2b2e6d0927d"/> <cybox:Observable idref="mandiant:observable-71b716af-666c-4cc7-8fce-414087ce13a8"/> <cybox:Observable idref="mandiant:observable-1efc4f2d-b353-4948-9853-f4af01dba154"/> <cybox:Observable idref="mandiant:observable-7c788a3c-9802-4ace-b74a-872fa6ce475d"/> <cybox:Observable idref="mandiant:observable-e7f6fa54-6551-4051-b6fc-1b99965c7283"/> <cybox:Observable idref="mandiant:observable-05a23b2f-632d-4638-9fd7-129c22b72d59"/> <cybox:Observable idref="mandiant:observable-c4d55888-aace-43e6-963b-6bff9527651a"/> <cybox:Observable idref="mandiant:observable-6b69e8d9-e8c9-4641-a741-0aecd4797889"/> <cybox:Observable idref="mandiant:observable-9511e823-4a36-4c98-b969-be8a18cafd33"/> <cybox:Observable idref="mandiant:observable-c7d207b0-efe6-4d1f-91de-6a5ad84c01dd"/> <cybox:Observable idref="mandiant:observable-ec6f2fac-7da0-4088-97b3-df78073105c6"/> <cybox:Observable idref="mandiant:observable-aef9eaf5-5c3a-4ee2-ab74-e968ec5fee67"/> <cybox:Observable idref="mandiant:observable-81c8c916-9b1c-4865-b053-8797b7635536"/> <cybox:Observable idref="mandiant:observable-b0d74e94-4cc5-4412-b283-b7d8a3fd770f"/> <cybox:Observable idref="mandiant:observable-03be0c70-71fd-41e9-a135-4c66c86ec25a"/> <cybox:Observable idref="mandiant:observable-ed751c87-1202-4748-a09a-603e916a7a5c"/> <cybox:Observable idref="mandiant:observable-5706f486-870e-4086-abd3-b84d174d8a1e"/> <cybox:Observable idref="mandiant:observable-93303fa1-7cc5-4a8a-95af-a14825b30a88"/> <cybox:Observable idref="mandiant:observable-a88f262e-2aa9-42d4-b2be-ec4a9c4dcc08"/> <cybox:Observable idref="mandiant:observable-58874411-5b95-4f6b-baf8-43a6e943dcf8"/> <cybox:Observable idref="mandiant:observable-d74f5f2f-9c51-4a2b-98f0-43a3b4bb817b"/> <cybox:Observable idref="mandiant:observable-151a2b1c-fa5a-4bfb-a9e8-ffedc0ef2000"/> <cybox:Observable idref="mandiant:observable-c9cfa772-ac67-4c2d-bf17-06beca62c4fc"/> <cybox:Observable idref="mandiant:observable-db60fa94-e63b-40de-b85b-639864d09dff"/> <cybox:Observable idref="mandiant:observable-79c8a3d0-5ada-46d0-b5fa-72b2660e5ed2"/> <cybox:Observable idref="mandiant:observable-7c3f3c05-6d69-4f05-973b-b05494fb4192"/> <cybox:Observable idref="mandiant:observable-7e77fc63-2844-4bea-a5cc-b013c9c57407"/> <cybox:Observable idref="mandiant:observable-f707fc35-11ea-4a05-9927-06fdae66cc07"/> <cybox:Observable idref="mandiant:observable-0f870d41-c381-4d63-a902-b09eddbb085c"/> <cybox:Observable idref="mandiant:observable-7a0df406-816b-4fc7-867e-8157ecfe3678"/> <cybox:Observable idref="mandiant:observable-562438f7-d03e-4c4b-afdb-42f3473ebc5a"/> <cybox:Observable idref="mandiant:observable-83815990-8092-4378-b6c8-ff4ff3160270"/> <cybox:Observable idref="mandiant:observable-28cf1fc8-985c-4f47-9dd8-7eade45c828b"/> <cybox:Observable idref="mandiant:observable-64eefec1-35b8-4c4e-b03a-7f402c29cfdd"/> <cybox:Observable idref="mandiant:observable-4260d6a6-142b-485c-a37e-1c7a5f1880de"/> <cybox:Observable idref="mandiant:observable-a137962b-044e-4d96-8284-2fb874a04cfc"/> <cybox:Observable idref="mandiant:observable-1d244eab-ddb9-463a-8c8f-2644ff8146ad"/> <cybox:Observable idref="mandiant:observable-717002c1-0b9b-4d89-8e04-827366b6b37f"/> <cybox:Observable idref="mandiant:observable-60ef246f-98e4-42c4-acca-9d6aac19191a"/> <cybox:Observable idref="mandiant:observable-061044d6-d7b0-43ff-9ea8-59090632acc0"/> <cybox:Observable idref="mandiant:observable-c9af2cd7-31ec-4e35-9ae8-7b72eff0eabb"/> <cybox:Observable idref="mandiant:observable-1be3d9c2-ee2a-4676-9888-dfdeabf873a0"/> <cybox:Observable idref="mandiant:observable-f4a65b7d-10f3-4d34-8f71-d299c6c29982"/> <cybox:Observable idref="mandiant:observable-cb8b0594-8172-4c37-865e-0ab50c4dd62d"/> <cybox:Observable idref="mandiant:observable-97b1b8cd-599f-4a30-96f7-84d99e396cf6"/> <cybox:Observable idref="mandiant:observable-903d7906-89ed-4012-a3a0-8b4ddf733ab0"/> <cybox:Observable idref="mandiant:observable-147278d9-ae6b-4aa5-b0c3-5e20e3cbc4e3"/> <cybox:Observable idref="mandiant:observable-b84fb79f-c77b-4cc7-8475-f6a2d59f5c5a"/> <cybox:Observable idref="mandiant:observable-29a89dcc-339e-48ce-8fdf-6f22bc0a0108"/> <cybox:Observable idref="mandiant:observable-36e0857a-c6b2-45d5-a173-1d32bcd262c1"/> <cybox:Observable idref="mandiant:observable-155af31e-9ec5-47f7-ad27-5a2b625f37db"/> <cybox:Observable idref="mandiant:observable-f4439817-1af8-49b6-bf7a-eb75387fc857"/> <cybox:Observable idref="mandiant:observable-dfba1358-e5b8-41fd-9408-6f345eb77dd3"/> <cybox:Observable idref="mandiant:observable-6236ca54-b8ce-4be3-8347-d27b5374d672"/> <cybox:Observable idref="mandiant:observable-c4f5a77b-8c17-4c21-9506-7e129f94805d"/> <cybox:Observable idref="mandiant:observable-1ccb67ee-ab95-4f8b-80fd-15ba7b1b144a"/> <cybox:Observable idref="mandiant:observable-a8ee19a2-4922-45d2-a2c5-8499e754552e"/> <cybox:Observable idref="mandiant:observable-28adbf26-fdcb-49c4-b3f5-fe7604a6c5be"/> <cybox:Observable idref="mandiant:observable-8b50a572-82cd-4361-a651-8e6d914ffce3"/> <cybox:Observable idref="mandiant:observable-090bf433-7d5b-4c39-bb67-419783ef48fd"/> <cybox:Observable idref="mandiant:observable-f77a63bd-4231-4c15-b370-b3dca152932f"/> <cybox:Observable idref="mandiant:observable-da94f2f3-15c5-4efd-a463-55af2fe25bc3"/> <cybox:Observable idref="mandiant:observable-53236c4b-8c5e-43b4-9b3e-1757a2c4fd53"/> <cybox:Observable idref="mandiant:observable-e0f1fb6e-bba9-4d0b-b773-5c6a070a11fc"/> <cybox:Observable idref="mandiant:observable-291ae324-ec20-4020-851f-a0518548d4b7"/> <cybox:Observable idref="mandiant:observable-a8e2161e-b3f5-4c2e-80fa-8466e6edf592"/> <cybox:Observable idref="mandiant:observable-fb2aa6ff-36c5-4f92-98ea-5dfadf1ce05b"/> <cybox:Observable idref="mandiant:observable-5b918ea4-eb00-4e83-b901-a8cd96ba0d69"/> <cybox:Observable idref="mandiant:observable-babc3765-80bf-4439-bc94-c40e280559f4"/> <cybox:Observable idref="mandiant:observable-c6a7d671-6d83-49e5-b5c1-b9bd4e1c933f"/> <cybox:Observable idref="mandiant:observable-3b5f5409-b7c2-4150-8799-b34ef1f207c2"/> <cybox:Observable idref="mandiant:observable-b0356b4e-9d01-42a2-82aa-3e7338ddd86e"/> <cybox:Observable idref="mandiant:observable-f5b965df-6640-43ef-8a74-3648850c24de"/> <cybox:Observable idref="mandiant:observable-4eea9b08-e5c9-449a-915e-81957d645db5"/> <cybox:Observable idref="mandiant:observable-77a33407-dd06-4771-a398-eb2ec5da243a"/> <cybox:Observable idref="mandiant:observable-86987363-95a8-4411-ad36-af31256bde72"/> <cybox:Observable idref="mandiant:observable-be35f904-765e-4e5c-a7da-619e2aac05cd"/> <cybox:Observable idref="mandiant:observable-00a0ddeb-301f-4105-9418-11d7379ddb6d"/> <cybox:Observable idref="mandiant:observable-1ded5ab9-9ee9-4b96-9444-2b290fa39fd3"/> <cybox:Observable idref="mandiant:observable-f06e6df2-ae06-4e8e-80d3-49ab06305353"/> <cybox:Observable idref="mandiant:observable-0c395a56-6e3e-44af-8606-49e16cf27f5d"/> <cybox:Observable idref="mandiant:observable-27f96162-bed9-49a7-82b6-1d2b5838602b"/> <cybox:Observable idref="mandiant:observable-806c5faf-ce64-4e6b-b344-5d2ddaa1b38f"/> <cybox:Observable idref="mandiant:observable-05935fd3-b962-43fe-86b6-ec5c1b28eb7b"/> <cybox:Observable idref="mandiant:observable-35a89fcb-66aa-451c-8d3d-74bef2e70dbf"/> <cybox:Observable idref="mandiant:observable-f1bfa3bc-3141-4ce9-ab41-17c171acf3f4"/> <cybox:Observable idref="mandiant:observable-57a6b882-a041-49db-a186-cd9d6a67f2be"/> <cybox:Observable idref="mandiant:observable-85c1f565-1808-4811-ac5b-80fff6758661"/> <cybox:Observable idref="mandiant:observable-0536e2e9-359b-4bfe-9950-fc3762dbb645"/> <cybox:Observable idref="mandiant:observable-e6f3f7ad-d18a-4e11-abc1-3d778d8e70c0"/> <cybox:Observable idref="mandiant:observable-ba5f0800-89ac-4ed1-9902-abd6f2744200"/> <cybox:Observable idref="mandiant:observable-3747f1b4-c8a6-40be-957b-335ee4fd8bb2"/> <cybox:Observable idref="mandiant:observable-179caa2f-c6d5-48b0-ba2e-cd465be83cf0"/> <cybox:Observable idref="mandiant:observable-cf009b8f-ab73-4c0d-9def-f312899c1b0a"/> <cybox:Observable idref="mandiant:observable-7d1800de-8551-4507-b746-5326e1cfbcfa"/> <cybox:Observable idref="mandiant:observable-dc8e72fa-a85d-4127-9252-27bea678966b"/> <cybox:Observable idref="mandiant:observable-4b2c705a-739e-4dcc-bd75-0ae489ce9db4"/> <cybox:Observable idref="mandiant:observable-6ea29327-7971-49f2-9efa-82ac4960b421"/> <cybox:Observable idref="mandiant:observable-49beeb96-c46c-4a47-8d62-1f9e2c941cca"/> <cybox:Observable idref="mandiant:observable-f62b52d9-5641-45fa-a737-c78c8b9d0ed0"/> <cybox:Observable idref="mandiant:observable-2729ef72-778f-4428-8fa9-280dac3d8420"/> <cybox:Observable idref="mandiant:observable-3ffed991-d9d3-490f-8fee-a97fe9bf5970"/> <cybox:Observable idref="mandiant:observable-8a6dcc6e-254a-4c37-97ce-863d019cb9f0"/> <cybox:Observable idref="mandiant:observable-f3dd3f24-d63d-47e3-bbfb-3175dd88979a"/> <cybox:Observable idref="mandiant:observable-0bb9b519-ad67-4149-a39e-5f08d6127517"/> <cybox:Observable idref="mandiant:observable-dc17be00-19a1-4f1d-8951-d140c7bac393"/> <cybox:Observable idref="mandiant:observable-24ca9d19-1173-4619-a3ef-7c038af11a59"/> <cybox:Observable idref="mandiant:observable-12f50a91-cf56-4339-9745-fc021c59ac4e"/> <cybox:Observable idref="mandiant:observable-a0e7f984-b460-4bcd-a853-1cd11b80be44"/> <cybox:Observable idref="mandiant:observable-4ef5a6ce-7bf1-45b4-80ed-dad7b63500a7"/> <cybox:Observable idref="mandiant:observable-4f4d4c51-70bb-4cd1-8b42-3610ab588151"/> <cybox:Observable idref="mandiant:observable-d0073d98-69b8-4bbf-b35c-2f1fe58683ef"/> <cybox:Observable idref="mandiant:observable-4d0dddd5-9f06-48c1-8a11-71719d0eab58"/> <cybox:Observable idref="mandiant:observable-04012e8a-dd20-4241-8b10-d169b49100a3"/> <cybox:Observable idref="mandiant:observable-56e1835d-6a31-48d0-9b16-701107b852bd"/> <cybox:Observable idref="mandiant:observable-4a94dbda-22c4-4131-b2ec-e3f50bf2c1ba"/> <cybox:Observable idref="mandiant:observable-d642e377-9db3-4944-af9e-13ac7c7b76b6"/> <cybox:Observable idref="mandiant:observable-ceb0314c-35c0-4f54-b777-0067d5cd8ae8"/> <cybox:Observable idref="mandiant:observable-3cd72dd3-11b8-4f57-b2e6-d10cb333e399"/> <cybox:Observable idref="mandiant:observable-a628745b-2579-4691-9b9a-affb86eda06a"/> <cybox:Observable idref="mandiant:observable-fbffcbcf-d45d-4742-9481-baa04f1ed7e2"/> <cybox:Observable idref="mandiant:observable-bf86bf44-29de-45d0-80bd-15e34e039177"/> <cybox:Observable idref="mandiant:observable-8fdbe706-8440-4da8-a274-66801df2fd41"/> <cybox:Observable idref="mandiant:observable-cc281db0-c3d6-447b-9bed-b7e2c7e04610"/> <cybox:Observable idref="mandiant:observable-ec540528-1563-476d-aaff-270fe2df5e3f"/> <cybox:Observable idref="mandiant:observable-bb7618cb-7f2e-4690-80f9-4f1572af0758"/> <cybox:Observable idref="mandiant:observable-6b9970f1-0c16-43dc-9c43-f18df719db31"/> <cybox:Observable idref="mandiant:observable-53fad508-e8dd-40aa-98ca-64a4bfd0811c"/> <cybox:Observable idref="mandiant:observable-29f43d88-956a-46fc-abb9-e8861f4a8e82"/> <cybox:Observable idref="mandiant:observable-ebbc6af0-5c1a-40a6-b78c-81089cd11efa"/> <cybox:Observable idref="mandiant:observable-2cca76a1-73b6-4290-8f5e-9656bb5fe9cb"/> <cybox:Observable idref="mandiant:observable-d1a5bda6-8925-4d23-96be-0893b69790b3"/> <cybox:Observable idref="mandiant:observable-46119143-1fd1-470c-92e5-72c1883ad643"/> <cybox:Observable idref="mandiant:observable-390c3c46-79bd-468d-872f-e4a2824aa022"/> <cybox:Observable idref="mandiant:observable-2dab46a0-3ad2-4b6b-8074-56922ffdfead"/> <cybox:Observable idref="mandiant:observable-bbe6f528-ecea-41c1-a81d-beef8c258d68"/> <cybox:Observable idref="mandiant:observable-4d0d3741-1f1a-4a04-89c4-ebcf3e35450a"/> <cybox:Observable idref="mandiant:observable-70ca6c4e-cae9-4f9e-b263-e55ec702370d"/> <cybox:Observable idref="mandiant:observable-a41d3d55-ef0f-4b3b-bda6-fd3ec5e08e74"/> <cybox:Observable idref="mandiant:observable-ad30afb0-7d59-40b1-a4a1-72585d1f2a8d"/> <cybox:Observable idref="mandiant:observable-6932ca1a-5548-47e4-991b-ec47c0b2a667"/> <cybox:Observable idref="mandiant:observable-bac524cd-cd89-4fdc-b285-f6f999fb3fd9"/> <cybox:Observable idref="mandiant:observable-5cc3ed5a-17cd-4bc6-bc3d-554b92cda3b4"/> <cybox:Observable idref="mandiant:observable-ef95aa56-e653-4357-9627-99df04400546"/> <cybox:Observable idref="mandiant:observable-ef3492cb-db10-40bb-9898-22f7a54c4b5f"/> <cybox:Observable idref="mandiant:observable-85ce02c6-16ec-4927-8477-20bd38b0cdf2"/> <cybox:Observable idref="mandiant:observable-c1fd7932-8473-40fc-b598-dac2954be212"/> <cybox:Observable idref="mandiant:observable-2b7c7b9f-dc3d-4f92-9ef7-c4eea56b7a48"/> <cybox:Observable idref="mandiant:observable-e080662b-2364-41a2-a020-cb1b0c971e91"/> <cybox:Observable idref="mandiant:observable-a82948a5-8b29-4135-aac2-60133ea45c75"/> <cybox:Observable idref="mandiant:observable-9dd97cd1-a202-423e-9d4d-207e5edb8d14"/> <cybox:Observable idref="mandiant:observable-d5cb1b59-03b0-45dd-9b85-75ee78f90044"/> <cybox:Observable idref="mandiant:observable-86c51237-c66d-48c1-a341-cf8c0d91c60a"/> <cybox:Observable idref="mandiant:observable-1e0981b5-b053-4b0a-8211-a6cf7c3b1a3f"/> <cybox:Observable idref="mandiant:observable-5b2f7279-ce22-4b70-af8d-8923437849fd"/> <cybox:Observable idref="mandiant:observable-347bfe1f-2df9-4c96-9513-2d7a3c0d74f1"/> <cybox:Observable idref="mandiant:observable-2d2d3672-e987-4d69-b253-7d28e39629d8"/> <cybox:Observable idref="mandiant:observable-c9bf6fef-3417-4a0d-94ee-7f34aa31c707"/> <cybox:Observable idref="mandiant:observable-7e10c0e2-11dd-44bc-a282-9ed6f9bb4310"/> <cybox:Observable idref="mandiant:observable-f6db7186-d473-41a0-812e-4d264d834fa8"/> <cybox:Observable idref="mandiant:observable-81ae4127-cbeb-4c91-8400-748c5127a733"/> <cybox:Observable idref="mandiant:observable-7f53e613-ff9b-491f-8ca9-ba55e3a4b9c3"/> <cybox:Observable idref="mandiant:observable-4adc3ef2-d407-4a82-90e6-8dce6ca01c68"/> <cybox:Observable idref="mandiant:observable-a62c6ba2-03ce-4e80-bd8a-45138fe31911"/> <cybox:Observable idref="mandiant:observable-13bfb143-a945-42da-b03a-3224843729bf"/> <cybox:Observable idref="mandiant:observable-3c1cba50-dbda-47e1-ab8a-40960cac9d39"/> <cybox:Observable idref="mandiant:observable-f81d536b-7d51-4b41-bd87-21c7d4d11719"/> <cybox:Observable idref="mandiant:observable-095f937e-ef8d-4dac-bbff-3d042e7b5151"/> <cybox:Observable idref="mandiant:observable-a3cab055-1cd0-43cc-ba82-9dd4bd105656"/> <cybox:Observable idref="mandiant:observable-feb4f745-5dcb-4cc4-93d2-fde7b172c5c2"/> <cybox:Observable idref="mandiant:observable-c87057f3-4180-4d85-9d98-e9922705fa6c"/> <cybox:Observable idref="mandiant:observable-ad3076d7-7912-4eee-b9b5-450d09f9b840"/> <cybox:Observable idref="mandiant:observable-636e4e8a-cb6a-45a5-9df1-4f20e1132f71"/> <cybox:Observable idref="mandiant:observable-14a13876-3ab2-4227-ad8c-451dcd0519f0"/> <cybox:Observable idref="mandiant:observable-b37cc63f-6502-4977-9d81-5608bc17d42d"/> <cybox:Observable idref="mandiant:observable-2ce40817-edf3-4219-aa01-80471b82c2c9"/> <cybox:Observable idref="mandiant:observable-d03530b4-8d5e-41fe-896f-301ca58076cc"/> <cybox:Observable idref="mandiant:observable-ddaccedf-90d7-4224-9d52-fed8d2a8082d"/> <cybox:Observable idref="mandiant:observable-6c7dc0e9-79a6-4be8-bf71-dff9f626ec7d"/> <cybox:Observable idref="mandiant:observable-ba2b6ece-f761-4644-b707-70ff165877ec"/> <cybox:Observable idref="mandiant:observable-1dd4cb8c-b1f8-494a-be6a-ca93b00743ac"/> <cybox:Observable idref="mandiant:observable-cd3a79a6-d176-41d6-a785-acba8e83c52b"/> <cybox:Observable idref="mandiant:observable-7d00969b-768d-4df4-a890-06c7030f5223"/> <cybox:Observable idref="mandiant:observable-650d994c-739c-4969-9251-49bfa8dcb102"/> <cybox:Observable idref="mandiant:observable-336be1c5-f3f2-4e47-a56e-011577a13c2b"/> <cybox:Observable idref="mandiant:observable-a57d27fb-ee5f-48e7-bc8b-eb28b72e0598"/> <cybox:Observable idref="mandiant:observable-2f5f27d2-3f7a-41ff-a21a-67ed4ad5dc2c"/> <cybox:Observable idref="mandiant:observable-4a52cb2b-9c78-4ac0-8b97-cc054a54a3f0"/> <cybox:Observable idref="mandiant:observable-4a510c2d-0a0a-41f9-a780-0b9a184e73b9"/> <cybox:Observable idref="mandiant:observable-9c0b99a8-1b3d-48cc-b9bf-f40feffe72cd"/> <cybox:Observable idref="mandiant:observable-e993d0d6-61f8-4fb4-93ea-db2666d6e843"/> <cybox:Observable idref="mandiant:observable-80bb7921-4817-48d3-878a-6712dd7faace"/> <cybox:Observable idref="mandiant:observable-bee37401-87df-4fe3-8bec-e38286e9b821"/> <cybox:Observable idref="mandiant:observable-4f928e37-08d2-46f1-a183-a3fd4818e8be"/> <cybox:Observable idref="mandiant:observable-10b6b09a-7e45-45c3-b833-00005caf0ea9"/> <cybox:Observable idref="mandiant:observable-9a15ea1c-c2b2-447b-9011-b1e8542433d5"/> <cybox:Observable idref="mandiant:observable-42946ae8-b28a-482f-9a84-bdde2098a5dc"/> <cybox:Observable idref="mandiant:observable-b972ea4d-c4c9-4fab-9e57-8478764f5c16"/> <cybox:Observable idref="mandiant:observable-3b8c093d-414f-49a9-b7dd-22b68a238726"/> <cybox:Observable idref="mandiant:observable-d19129ad-cb3e-48c5-9188-c355b342aca6"/> <cybox:Observable idref="mandiant:observable-65772a1c-3690-451c-bafe-869944742746"/> <cybox:Observable idref="mandiant:observable-c79d6f9a-7528-4878-87e4-1d75d5d31b5c"/> <cybox:Observable idref="mandiant:observable-e787f4b2-b375-4a86-a870-b1a0fe91cbe5"/> <cybox:Observable idref="mandiant:observable-9acd4092-e331-4503-be88-5ab9f3e50d4d"/> <cybox:Observable idref="mandiant:observable-77cb33c7-e73f-4c38-8108-9b4f4be6e36d"/> <cybox:Observable idref="mandiant:observable-341631f1-5d80-4471-b7cb-f67e846461bf"/> <cybox:Observable idref="mandiant:observable-2a379e3d-7a56-413f-9970-9f42d095e052"/> <cybox:Observable idref="mandiant:observable-0770e7b6-6b92-40e4-812a-6ef828fbcb1c"/> <cybox:Observable idref="mandiant:observable-6bf6aeb9-eb33-4691-b18b-936aa4a975fa"/> <cybox:Observable idref="mandiant:observable-a897fe63-2220-4610-8fff-9c2b9e753633"/> <cybox:Observable idref="mandiant:observable-79d95774-eb93-4cb6-8395-59e255966c57"/> <cybox:Observable idref="mandiant:observable-bf0af872-a1d0-4b31-b8e8-76e092dd2ca7"/> <cybox:Observable idref="mandiant:observable-c8f401fa-9e65-48ba-bc69-ed4ae8504c3a"/> <cybox:Observable idref="mandiant:observable-9b4f8d5c-0177-4ce5-9d7b-bd7a1f8a8d78"/> <cybox:Observable idref="mandiant:observable-737eed55-4f2e-4f32-b572-9f55a1b62ef6"/> <cybox:Observable idref="mandiant:observable-8c6ee6bc-06df-4a4c-b7da-2a57dc2b16f6"/> <cybox:Observable idref="mandiant:observable-efd06593-64ae-4d88-b977-3cd5ecbbea32"/> <cybox:Observable idref="mandiant:observable-573c0cf0-0415-4a15-be60-e8748c4d3a9d"/> <cybox:Observable idref="mandiant:observable-28294f17-ac3d-43c6-a2f4-af2242512ab9"/> <cybox:Observable idref="mandiant:observable-8cffa685-5e94-4db6-9f01-e29c91a8ceea"/> <cybox:Observable idref="mandiant:observable-8bdc3c7b-91ca-407f-ba57-cf2f2a947f11"/> <cybox:Observable idref="mandiant:observable-818e26cb-6b0e-405c-ad4c-b01ec519959d"/> <cybox:Observable idref="mandiant:observable-c1f647d8-b328-430a-8abf-922f8c4b949b"/> <cybox:Observable idref="mandiant:observable-9f31630c-cabb-4064-847e-2234ae0d7949"/> <cybox:Observable idref="mandiant:observable-df6ab0ea-8768-4fab-9f72-c43aba2f85e4"/> <cybox:Observable idref="mandiant:observable-9d8448b5-0a94-48d2-b2ca-b7702c943c34"/> <cybox:Observable idref="mandiant:observable-37852a61-6c44-4f93-9796-123a8dbd500f"/> <cybox:Observable idref="mandiant:observable-cf16c3fa-9747-4d0b-9fc4-c9a49d1016f7"/> <cybox:Observable idref="mandiant:observable-0c6a173d-ea35-4f92-9f27-1034939980b9"/> <cybox:Observable idref="mandiant:observable-d3dc32ba-43aa-4bb0-83bf-d67f4e284d2e"/> <cybox:Observable idref="mandiant:observable-b9b71deb-63ec-4fe1-9719-01d68ac49b67"/> <cybox:Observable idref="mandiant:observable-01bd0ef0-f08b-455d-a2f5-e5685f497714"/> <cybox:Observable idref="mandiant:observable-e1347131-a9ca-468b-abd1-f70b5be73934"/> <cybox:Observable idref="mandiant:observable-c583ed8b-3f7f-4417-8fe5-e9c8905431b7"/> <cybox:Observable idref="mandiant:observable-16ac7750-b557-46ef-8b71-0659ac8fb744"/> <cybox:Observable idref="mandiant:observable-e555a82f-e64e-4c77-abee-a4e5af8e4420"/> <cybox:Observable idref="mandiant:observable-fe35529d-ef3f-4171-96fb-b89c267c2265"/> <cybox:Observable idref="mandiant:observable-6cc894f0-59eb-4261-a36f-3d8c3503d7f4"/> <cybox:Observable idref="mandiant:observable-5431c2b6-2fc8-467d-833b-130e516cbb72"/> <cybox:Observable idref="mandiant:observable-41c7218a-0cc4-499e-8220-67226ef81c74"/> <cybox:Observable idref="mandiant:observable-2c87b5c8-7ec0-46ab-bd3e-a5a27e90d0a4"/> <cybox:Observable idref="mandiant:observable-9f644994-4ffa-428f-9426-f21a43cb53c1"/> <cybox:Observable idref="mandiant:observable-50ec3594-e369-4340-84b7-d6d6cbf3d309"/> <cybox:Observable idref="mandiant:observable-90b0b02d-dddb-4ecd-9796-fa1a0bbd02e5"/> <cybox:Observable idref="mandiant:observable-d750031d-877d-4903-b572-c981ee8d9236"/> <cybox:Observable idref="mandiant:observable-c848740b-66c8-4d00-acc1-56782827b10b"/> <cybox:Observable idref="mandiant:observable-a067de4a-e6a5-4b5b-bf6d-bc198f959d80"/> <cybox:Observable idref="mandiant:observable-84967cfa-69f0-4254-badc-d46cb79d26c7"/> <cybox:Observable idref="mandiant:observable-45db05bb-bd41-4b2d-bce2-6c2b94b122ef"/> <cybox:Observable idref="mandiant:observable-6bce7a55-8e95-42a7-8326-05a5feb51596"/> <cybox:Observable idref="mandiant:observable-594eb497-0179-4537-a7d4-80aa81a2a325"/> <cybox:Observable idref="mandiant:observable-a1861df1-3590-4223-bf8e-afe46ae48443"/> <cybox:Observable idref="mandiant:observable-2af57e8f-65c6-4232-b493-1fb574b9002d"/> <cybox:Observable idref="mandiant:observable-030de379-8e8b-468d-a583-97eeea361cb0"/> <cybox:Observable idref="mandiant:observable-c68e647f-a929-48e6-be04-739add3afd99"/> <cybox:Observable idref="mandiant:observable-f2bd1ae3-9d40-4aed-af3d-78777cef13ce"/> <cybox:Observable idref="mandiant:observable-308efb8e-caa5-4aed-8c45-fc2014e85abd"/> <cybox:Observable idref="mandiant:observable-1cd3ca84-a53e-46d3-84f3-157f7ceb9b51"/> <cybox:Observable idref="mandiant:observable-a8c77ad1-e5a2-4638-9f49-12cf1fe315a5"/> <cybox:Observable idref="mandiant:observable-c0f84e9c-385a-4940-8ba3-b6ce2dca710c"/> <cybox:Observable idref="mandiant:observable-81289d03-211b-4471-b4d3-bad06a7aa5eb"/> <cybox:Observable idref="mandiant:observable-f17f8d35-de32-4874-8452-5050ea2a533c"/> <cybox:Observable idref="mandiant:observable-041f007d-9af7-48ff-8baf-6c2464a1f9e8"/> <cybox:Observable idref="mandiant:observable-3d9f38cd-0bc8-4e9c-b5a8-6cd2a06f1458"/> <cybox:Observable idref="mandiant:observable-c1194515-f997-451d-8930-36beb247ffcb"/> <cybox:Observable idref="mandiant:observable-24e54cce-c4b1-429a-94bb-d72684763026"/> <cybox:Observable idref="mandiant:observable-763a8925-3c15-46da-9d0a-8b0b12004680"/> <cybox:Observable idref="mandiant:observable-d6e4fa65-cc60-4eeb-aabf-0b2d2aa829e2"/> <cybox:Observable idref="mandiant:observable-0c42625e-283f-47a2-9851-bd45f01c5e5b"/> <cybox:Observable idref="mandiant:observable-4f16b9c2-b44e-4d78-aee6-8547d0f32d62"/> <cybox:Observable idref="mandiant:observable-7f97f56f-d574-4fb3-a134-275f2381cb31"/> <cybox:Observable idref="mandiant:observable-a8ea5b89-fc57-41ab-aff9-4a535132cec9"/> <cybox:Observable idref="mandiant:observable-5a9ed4ef-9a0c-4f4c-9cf9-65d33cd59edb"/> <cybox:Observable idref="mandiant:observable-54c44e19-a195-43e7-ad01-e350d387e888"/> <cybox:Observable idref="mandiant:observable-e034777e-1d07-474e-a825-02459fecbbe0"/> <cybox:Observable idref="mandiant:observable-44d5b6fc-75f4-49b0-bf74-c964521cd5c0"/> <cybox:Observable idref="mandiant:observable-ffae0e73-4f45-4062-ba4b-7628f901fa0e"/> <cybox:Observable idref="mandiant:observable-84a9a67d-e641-4edf-854f-3ed7bd151946"/> <cybox:Observable idref="mandiant:observable-76a83e3b-2c81-4c68-ba94-bf557a3ba43e"/> <cybox:Observable idref="mandiant:observable-82ebe9c0-4701-40e8-bc59-31f1af3c7042"/> <cybox:Observable idref="mandiant:observable-0383f494-e75e-4b22-8d94-46467712964b"/> <cybox:Observable idref="mandiant:observable-a30394c7-d1bd-4c15-b949-110b6a005d6c"/> <cybox:Observable idref="mandiant:observable-5c1519e1-904c-4367-b316-6776eb3cfb0d"/> <cybox:Observable idref="mandiant:observable-3360f8d9-3215-41ea-8958-d1f0cab55f73"/> <cybox:Observable idref="mandiant:observable-a19db190-8116-4885-a2e7-9fdc2006aee0"/> <cybox:Observable idref="mandiant:observable-69fd5c62-9662-4217-8840-0f0068192e18"/> <cybox:Observable idref="mandiant:observable-daf83b4a-467e-4e4b-8d4d-d1945e90c3e7"/> <cybox:Observable idref="mandiant:observable-c4f006d9-277d-44eb-b4c6-8b8158682695"/> <cybox:Observable idref="mandiant:observable-989b3f80-92c4-441b-9e5f-99888b12cac5"/> <cybox:Observable idref="mandiant:observable-1ca51c49-fa3a-42c6-80f4-b786c0d9e82c"/> <cybox:Observable idref="mandiant:observable-953dd2ea-5a2c-40c3-b70e-ccd4b2126efc"/> <cybox:Observable idref="mandiant:observable-6fcb85fd-f1cf-4b75-b1ec-cee9cff7a792"/> <cybox:Observable idref="mandiant:observable-f185110e-4fbd-4782-98ff-5db97ca802ef"/> <cybox:Observable idref="mandiant:observable-8c90a6f4-c13c-4cf6-a3ae-15c04a960b0d"/> <cybox:Observable idref="mandiant:observable-28cae9e0-e6ae-440d-a833-fce9fed91746"/> <cybox:Observable idref="mandiant:observable-52267a68-5ad0-4132-b3c6-c86a69842df5"/> <cybox:Observable idref="mandiant:observable-1706748c-acbc-4db3-b243-83f705616a57"/> <cybox:Observable idref="mandiant:observable-453c4b44-a1fa-44d5-8655-0bbbea9d8532"/> <cybox:Observable idref="mandiant:observable-1eecde36-9399-4bd6-ba13-b414af30bc08"/> <cybox:Observable idref="mandiant:observable-6fc7ea0c-b56e-4fca-8297-3af38ddf23af"/> <cybox:Observable idref="mandiant:observable-25a88fc6-025c-47ce-b1c3-7eb475ed787f"/> <cybox:Observable idref="mandiant:observable-5d38842f-2585-4c0f-a25d-551dc5cc77d8"/> <cybox:Observable idref="mandiant:observable-84b40839-003e-4a6e-ad8e-1df258ea07b2"/> <cybox:Observable idref="mandiant:observable-7ddafb71-345c-4df5-85c3-9cb5087feba4"/> <cybox:Observable idref="mandiant:observable-2c9f0b9d-0042-4c9d-b093-c8c239870fe3"/> <cybox:Observable idref="mandiant:observable-58649176-0ca4-4d1a-9e6a-1236dbc77ac7"/> <cybox:Observable idref="mandiant:observable-76a80ad2-29dd-47cb-b279-1f24cf7027ac"/> <cybox:Observable idref="mandiant:observable-bcfb0f4d-a535-4e09-bc70-3c4cec5c4357"/> <cybox:Observable idref="mandiant:observable-ea217e94-0489-43c2-9460-792cf8fa7969"/> <cybox:Observable idref="mandiant:observable-3c1a10a3-9c3d-4226-bb7e-28a796fac92a"/> <cybox:Observable idref="mandiant:observable-f14f51a2-bdde-4474-9c5d-1e91c4e9c739"/> <cybox:Observable idref="mandiant:observable-85608e62-7b42-47cb-be04-ee818a567f21"/> <cybox:Observable idref="mandiant:observable-c71a44e2-805b-4e1e-b140-6ccfb1ba2752"/> <cybox:Observable idref="mandiant:observable-d08526ca-4936-477f-9670-c8bb4834c802"/> <cybox:Observable idref="mandiant:observable-6eb7f59e-c5aa-4fb0-b713-3ad934970c15"/> <cybox:Observable idref="mandiant:observable-4472370d-a4e0-4d5b-a9b4-7a2226c71656"/> <cybox:Observable idref="mandiant:observable-22d4a359-6d97-4c87-9e86-79d7f2822d6b"/> <cybox:Observable idref="mandiant:observable-9b54acc9-b2d4-42d8-bca6-229f2807d3ac"/> <cybox:Observable idref="mandiant:observable-efc5573e-b345-4491-a476-e5e3df158047"/> <cybox:Observable idref="mandiant:observable-ad80f7dd-1654-4c54-acfd-cf44fdba5874"/> <cybox:Observable idref="mandiant:observable-854fc56a-070c-4eef-b120-8b13b0430a46"/> <cybox:Observable idref="mandiant:observable-6cf40586-66b7-436c-9b78-1de376bda409"/> <cybox:Observable idref="mandiant:observable-7006d4db-b299-4253-89a0-ebd50503f989"/> <cybox:Observable idref="mandiant:observable-399b4560-097d-4c5f-9dd4-eb56ccfc4a39"/> <cybox:Observable idref="mandiant:observable-56f85a10-c969-4d69-8eb1-8f6265acf0a4"/> <cybox:Observable idref="mandiant:observable-22d0a76b-ca28-4108-ae4c-ba4c99441cde"/> <cybox:Observable idref="mandiant:observable-3babb67f-61cf-46f8-95be-9e9711bf049c"/> <cybox:Observable idref="mandiant:observable-7586834c-89b6-4b4d-bea8-f424bccd1536"/> <cybox:Observable idref="mandiant:observable-b76299cf-3094-4635-9f63-0f4e438ac6ca"/> <cybox:Observable idref="mandiant:observable-4d639056-7dcb-4e3a-b57e-b12f530b3e35"/> <cybox:Observable idref="mandiant:observable-3678d8ef-ace4-456a-93dd-41bc7b51dc0e"/> <cybox:Observable idref="mandiant:observable-860f4933-1b3b-4017-a594-df1717a16173"/> <cybox:Observable idref="mandiant:observable-6fff1113-d530-4445-a1e4-30108cac885b"/> <cybox:Observable idref="mandiant:observable-4ceb5bc2-bcb9-4d58-af98-c62107b8e52d"/> <cybox:Observable idref="mandiant:observable-8eda7dde-6882-4040-a236-403f857478fa"/> <cybox:Observable idref="mandiant:observable-1fbed0af-8e0d-43c3-8046-634a9b0b7973"/> <cybox:Observable idref="mandiant:observable-505d95fe-dab7-4184-b177-ed684e30f735"/> <cybox:Observable idref="mandiant:observable-703567b4-8492-4881-9ac0-406d820a1c02"/> <cybox:Observable idref="mandiant:observable-b3cfa046-8468-4160-9ec6-fd50a6696fe9"/> <cybox:Observable idref="mandiant:observable-8368e0af-177d-4c10-acf8-1b112707b0ea"/> <cybox:Observable idref="mandiant:observable-e8111648-69af-4631-850d-48a9ed04e830"/> <cybox:Observable idref="mandiant:observable-dbd562e7-1687-4d02-a4aa-18bbd8131073"/> <cybox:Observable idref="mandiant:observable-3ffe2f58-0162-42ca-bbb2-84c96f79a429"/> <cybox:Observable idref="mandiant:observable-57b9e593-0bfb-4a89-b414-75aaa578d698"/> <cybox:Observable idref="mandiant:observable-56140567-5ddf-429e-9ad3-3c41355b9c4a"/> <cybox:Observable idref="mandiant:observable-7a74e6c8-7375-48c0-949f-95572a78be54"/> <cybox:Observable idref="mandiant:observable-940b86bf-1668-46f7-830d-4be71196add5"/> <cybox:Observable idref="mandiant:observable-37e017df-49b2-47e1-9825-85bdf573b9ef"/> <cybox:Observable idref="mandiant:observable-7eacea1c-283f-4ce8-9b05-e52a41760159"/> <cybox:Observable idref="mandiant:observable-d52ca222-ddd8-4818-babd-469136767128"/> <cybox:Observable idref="mandiant:observable-2f199249-08c0-4d0c-a48d-92c8f764ad46"/> <cybox:Observable idref="mandiant:observable-ed6711b3-8778-4084-9a2b-931ae5e7babb"/> <cybox:Observable idref="mandiant:observable-17e77965-cbcb-4c7b-97a9-6c361bc294a6"/> <cybox:Observable idref="mandiant:observable-4e0b8b31-0f57-4a23-ae2f-b54a7d04c022"/> <cybox:Observable idref="mandiant:observable-192cc28d-7608-44c0-ab78-ed5b5d718c0f"/> <cybox:Observable idref="mandiant:observable-d600f291-d6b9-417b-be7f-bb65f374094d"/> <cybox:Observable idref="mandiant:observable-fc91876c-c18d-4711-bcef-c828f18c9356"/> <cybox:Observable idref="mandiant:observable-5db34463-cd8e-4783-acb3-92783eaadd23"/> <cybox:Observable idref="mandiant:observable-30508b35-dadd-46fe-9701-f6dbdba2bef8"/> <cybox:Observable idref="mandiant:observable-1428e3b4-01d2-4756-99db-2b33f57e5c50"/> <cybox:Observable idref="mandiant:observable-b96748f1-ef0f-43cf-9811-018493c1f1f8"/> <cybox:Observable idref="mandiant:observable-5eec859d-42d7-4a84-bff1-1d09c8e9835e"/> <cybox:Observable idref="mandiant:observable-6470699e-2fc6-46bb-80a1-dc579302ec36"/> <cybox:Observable idref="mandiant:observable-7ecb7460-915c-4c47-b33b-9e5a22a2784c"/> <cybox:Observable idref="mandiant:observable-b69fe666-d750-4162-ad59-05a575ddb028"/> <cybox:Observable idref="mandiant:observable-a016ff4b-41f8-4fb9-85fe-2f322de4f84f"/> <cybox:Observable idref="mandiant:observable-e4bc1c3d-5031-4dea-a1d8-f6a8180852ab"/> <cybox:Observable idref="mandiant:observable-7a68303d-0c6e-4604-a48d-b74478e26051"/> <cybox:Observable idref="mandiant:observable-1ec89d4c-13f3-4c8d-9c8c-487b9f4434f3"/> <cybox:Observable idref="mandiant:observable-ea54de4e-3935-4f99-8a4f-d46cead8a42e"/> <cybox:Observable idref="mandiant:observable-3c7fe9c0-b08c-4921-95d3-8fbdb72e0937"/> <cybox:Observable idref="mandiant:observable-881afe9e-dbe5-4af0-9018-7f6c9ec69ea3"/> <cybox:Observable idref="mandiant:observable-1b7920f1-5aef-4124-ac18-769e855f03aa"/> <cybox:Observable idref="mandiant:observable-938c08b4-480f-4868-bdc9-1073ab0039e3"/> <cybox:Observable idref="mandiant:observable-070ba35f-e9ff-4884-b7a7-b34e53604cc4"/> <cybox:Observable idref="mandiant:observable-09b8919f-7d83-4df5-bec0-c55ef595e5e4"/> <cybox:Observable idref="mandiant:observable-f050d4d3-c778-4ecc-aebd-81df5953a4c2"/> <cybox:Observable idref="mandiant:observable-d88cae4b-1734-4abb-9aa8-5916bfd5ac38"/> <cybox:Observable idref="mandiant:observable-d513f4f2-3f6b-4978-965a-df25d7161a3c"/> <cybox:Observable idref="mandiant:observable-962c1701-32e1-47f2-a67c-6868c743bfac"/> <cybox:Observable idref="mandiant:observable-4eab86a7-135f-473a-ac63-1a38e2059556"/> <cybox:Observable idref="mandiant:observable-51f6df5f-f37b-4e9a-84e8-6de48e817ba0"/> <cybox:Observable idref="mandiant:observable-37d15923-831f-4a70-b8d1-7966f07d31bd"/> <cybox:Observable idref="mandiant:observable-a082d17d-99f9-41d3-95af-7cae719f1cfa"/> <cybox:Observable idref="mandiant:observable-269a67b1-be1e-4564-b556-986b99da15a1"/> <cybox:Observable idref="mandiant:observable-98b74df6-b79f-4516-a532-0eb9b8b26beb"/> <cybox:Observable idref="mandiant:observable-90b7970a-9f9c-4be2-8335-94a1a44fa515"/> <cybox:Observable idref="mandiant:observable-1d5a0302-e8b1-405a-90a0-bebaa78b7fbf"/> <cybox:Observable idref="mandiant:observable-a42f67d5-b2f5-4225-8a67-38bfba70d472"/> <cybox:Observable idref="mandiant:observable-322dcf62-fb83-434a-969c-6a1e83b1e709"/> <cybox:Observable idref="mandiant:observable-2eb66a50-21ee-4861-84dd-1cdc2fc388d0"/> <cybox:Observable idref="mandiant:observable-fdaec485-9c85-49c2-b17e-99cb0b0db111"/> <cybox:Observable idref="mandiant:observable-bbec8b8a-26ef-4d80-9eaf-bb1b75526c59"/> <cybox:Observable idref="mandiant:observable-6ec4f425-663e-48e5-92c8-e0b2a30c3c2b"/> <cybox:Observable idref="mandiant:observable-a176e91c-5b42-47d0-ac83-c799a07dad58"/> <cybox:Observable idref="mandiant:observable-a96c8466-c539-480a-9261-e5a6a53e54fa"/> <cybox:Observable idref="mandiant:observable-3ff1c3a8-ec15-4c63-bad7-9a8b710c999f"/> <cybox:Observable idref="mandiant:observable-b293ed0a-4d58-448e-8909-443bf9851bd4"/> <cybox:Observable idref="mandiant:observable-7a376a4f-ba1a-4087-a67a-932e0b067a40"/> <cybox:Observable idref="mandiant:observable-5ee901c4-9dc4-48af-ad16-11bbe10bac4d"/> <cybox:Observable idref="mandiant:observable-3d62bb44-8b90-4f90-8e32-899b4723053e"/> <cybox:Observable idref="mandiant:observable-0b520328-7c5f-4e5d-b126-7e96b673e522"/> <cybox:Observable idref="mandiant:observable-e6c21b58-a913-48b4-91cf-a0c04288c982"/> <cybox:Observable idref="mandiant:observable-8488c736-347a-4368-b17b-941b580ae3b3"/> <cybox:Observable idref="mandiant:observable-179cdf6b-64fd-4788-93ee-b0d6daf8d303"/> <cybox:Observable idref="mandiant:observable-71855453-31f3-493c-91a6-32fc88038fab"/> <cybox:Observable idref="mandiant:observable-f703be9f-71fc-4689-85ee-7b201a4a584d"/> <cybox:Observable idref="mandiant:observable-3d46f96b-eb2b-46d4-a839-c27f88cda084"/> <cybox:Observable idref="mandiant:observable-a549eb6c-10b1-4e86-acaf-3b8fca66e5da"/> <cybox:Observable idref="mandiant:observable-e07c1595-5f31-4f6f-9783-57382acf1aa4"/> <cybox:Observable idref="mandiant:observable-11940b1b-7c1b-494e-a779-dd7e3b4389d1"/> </report:Observables> <report:Indicators> <report:Indicator idref="mandiant:indicator-8d88dd33-1e16-4814-814e-662fb0ac842f" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-d577b671-abca-4318-ad94-27c793544168" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-554448f5-8e09-4c72-9dd9-5e2e1047eb33" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-36437a22-f0d7-4a48-bec4-153e19045f8d" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-dc2eb534-d2c4-421c-89d0-9bc6762009c5" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-2322085d-c557-4278-affc-633be5f36fe5" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-be16e289-114e-4f01-bc85-aa72f03a50dc" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-34a5f05a-f830-4d55-bb09-c1e8745a998d" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-706a8e36-77d0-41bb-81b4-05ca92f4d2d1" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-32ce1273-fc66-4de6-9e1d-fc6c55cdcae9" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-9658ae72-3f2c-4fa9-850b-aa86e8d976d6" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-85b02254-b7a0-4eaa-876d-bec18dd3c55c" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-f799cdd4-57ae-40e9-8ee6-bcacc3f39430" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-c8a6f10c-3540-45a0-a94b-c367374770a7" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-62355460-b3c7-4135-bfc8-c6c351391786" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-8dcc62d5-e91a-4cde-bc28-121d6f25a7d3" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-1922d28b-6257-4f14-9988-00c906c1274f" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-8b34f3bd-8176-4e33-a4ca-6b9970c2be2e" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-034a708a-2bb0-45ad-85c5-7505d90ce2a5" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-edc41062-7e8f-4603-9e62-5f4ec537e9af" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-f96c7900-0cf5-4199-b314-860a1cdc008e" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-71a95442-f246-4c8c-8c4d-d24107401974" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-27d9d4b8-9230-4472-9b5c-f3783982c752" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-9d11a416-43ba-42f4-bdfc-f142f04fec7a" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-2c6d4480-4276-416a-ba13-26c7598fe55c" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-809eca7a-fb86-44eb-b355-403c58e2159a" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-1c200d34-351f-47fa-bf6f-1c596d2779a7" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-b26314f3-956f-4340-bd9a-60f0e4ff210f" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-b934ce84-ff5e-42d9-8c61-bee975f32b02" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-10df11ab-c69e-4f7a-b44b-52b4d3824007" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-f97ec627-8a79-484e-b889-de21ed02a4d4" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-ee797e93-f583-4d6d-9523-11c47d2f1db9" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-d2ed1adc-26c9-48f8-881d-19dea55e0f5a" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-f4e6caa1-f693-41eb-b8e7-1c20fca5c578" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-ef180c46-8d36-46bc-b45c-d88cefa85002" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-fe6cb826-5c1a-42ac-bd7d-d505e9e93e64" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-21bf65fc-6b48-4f89-91bd-cd2e413a4c0b" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-d2acafe2-2f6a-4102-b96c-ba12300e6d7c" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-f668a9bf-4b6a-4f88-a5e0-3177dd01dcc8" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-d8cf6bb8-48fe-4160-ba20-b336dbd74d1b" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-37cdc870-066f-4e90-a295-985372bfb9e6" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-0ce3f149-586a-4e4b-a833-074bfe438557" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-330cf804-e267-42cb-820f-af444f1e9fd8" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-8a57160c-53f6-4782-9c2f-d4b54c3e4201" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-2656e928-dd0f-49a5-b0d6-13c9a854a628" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-3c18ada4-2f65-46e8-b5cc-80b9d47f4e5c" timestamp="2015-05-15T09:00:00.000000Z"/> <report:Indicator idref="mandiant:indicator-0302df0c-a056-48e2-99d2-7bfd23931cb6" timestamp="2015-05-15T09:00:00.000000Z"/> </report:Indicators> </stix:Report> </stix:Reports> </stix:STIX_Package>